Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Flaws Expose Sauter SCADA Systems to Takeover

Researchers at vulnerability management company Outpost24 have identified a series of vulnerabilities that can be exploited by a remote attacker to take complete control of Sauter’s moduWEB Vision SCADA product. The vendor has released a firmware update to address the issues.

Researchers at vulnerability management company Outpost24 have identified a series of vulnerabilities that can be exploited by a remote attacker to take complete control of Sauter’s moduWEB Vision SCADA product. The vendor has released a firmware update to address the issues.

Sauter is a Switzerland-based company that specializes in building automation and system integration products. moduWEB Vision is a web-based visualization solution designed to allow users to operate and monitor building technologies remotely.Sauter moduWEB Vision vulnerabilities

One of the vulnerabilities identified by Outpost24 researchers is related to the existence of default accounts. Sauter instructs users to change the password of the administrator account, but there are other default accounts not covered in the vendor’s documentation.

While these accounts don’t have administrative privileges, accessing them allows an attacker to obtain the password hash for the admin account via a backup feature introduced in recent versions of Sauter moduWEB Vision.

According to experts, attackers don’t need to crack the hash to access the administrator account, and instead they can use the hash directly to authenticate on the system via what is known as a pass the hash attack. This insecure credential storage issue has been assigned the identifier CVE-2015-7914.

Once they gain access with administrator privileges, attackers can reset the system to its default configuration, change the configuration or disable devices, and modify all passwords.

Other authentication data found in the moduWEB Vision backup files is encrypted, but Outpost24 discovered that some of the passwords are transmitted in clear text (CVE-2015-7915) when populating the password field in cases where the “keep me logged in” feature is enabled. It’s worth noting that this feature is also present only on newer versions of the SCADA system.

This poorly protected password can be leveraged to access SMTP accounts used for email notifications.

“The emails are used to gather SCADA events and other information about enrolled systems, and this gets the attacker an initial foothold where additional information can be acquired, not only about the current SCADA system but regarding any other SCADA systems setup to use the same event management email account,” Outpost24 explained in a blog post.

Advertisement. Scroll to continue reading.

In addition to using the pass the hash attack to gain administrator privileges, an authenticated attacker can also leverage a persistent cross-site scripting (XSS) vulnerability found in the user and events management panels to elevate privileges and execute commands on behalf of an administrator (CVE-2015-7916). The attacker can plant the XSS payload into the “username” field and it gets executed when a page containing the malicious code is accessed by the administrator.

A Shodan search shows that Sauter moduWEB Vision installations are exposed to the Internet and they are not difficult to pinpoint because the product runs on a less common web server that has specific header information, Outpost24 CSO Martin Jartelius told SecurityWeek.

“As always, if you have a home- or building automation system, those are built with other requirements than security in first place. A good solution is often to, regardless if you know of vulnerabilities in them or not, assume that there are associated risks, and deploy them in such a manner that you need to use a decent VPN to gain the initial access,” Jartelius explained via email.

The researcher said the vulnerabilities were reported to Sauter in April 2015 and they were completely patched in roughly 9 months, although the high risk issues were addressed sooner.

Sauter has released version 1.6.0 of the firmware to address the flaws, but Outpost24 says many systems remain unpatched, which is why the company has not disclosed technical details for some of the uncovered issues.

It’s worth noting that the security firm identified several weaknesses that have been fixed by the vendor, but only three of them have been assigned CVE identifiers. ICS-CERT has also published an advisory describing the security holes found by Outpost24.

Jartelius commended Sauter for being a responsive vendor and noted that the company’s platform has above average security.

Related: Only Few Organizations Patched Recent Honeywell SCADA Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.