ICS-CERT has published advisories detailing several vulnerabilities in ICS products from Accuenergy, Ecava and Sierra Wireless, including issues that have been rated “high severity.”
Security researcher Maxim Rupp has been credited for reporting two serious flaws in Accuenergy’s Acuvim power meters, which are primarily used in the energy sector in North America and China.
The expert discovered that Acuvim II and Acuvim IIR devices running version 3.08 of the firmware are affected by an authentication bypass issue (CVE-2016-2293) that allows an attacker to access the device’s settings simply by knowing a specific URL on the web server.
Another security issue found in these Accuenergy devices is related to the storage of mail server credentials in plain text in an unprotected file (CVE-2016-2294).
According to ICS-CERT, the vendor has not released firmware updates to patch these vulnerabilities, but it did publish a document describing steps that can be taken by customers to protect power meters from external access.
Rupp has also been credited for discovering a medium severity information disclosure vulnerability (CVE-2016-6479) in Sierra Wireless’ ACEmanager, a product that provides a graphical user interface for configuring the company’s AirLink gateways. The product is used in various sectors in North America and Europe.
The vulnerability affects Sierra Wireless AirLink LS300, GX400, GX440, GX450, ES440 and ES450 products running version 4.4.2 and earlier of the ALEOS platform. The flaw has been patched with the release of a new version.
Rupp told SecurityWeek that he informed Accuenergy of the vulnerabilities in early January, and Sierra Wireless in June 2015. The expert was previously credited for finding security holes in XZERES wind turbines, Tollgrade’s LightHouse SMS power distribution monitoring product, Honeywell’s Tuxedo Touch automation controllers and Midas gas detectors, Chiyu Technology fingerprint access controllers, and an ICONICS web-based HMI.
ICS-CERT has also published an advisory describing several vulnerabilities in Ecava IntegraXor, a web-based HMI/SCADA product used in various industries across the world.
Steven Seeley of Source Incite and independent researcher Marcus Richerson have been credited for responsibly disclosing the issues.
The most serious of the flaws, with a CVSS score of 9.8, is related to the fact that the IntegraXor web server transmits sensitive information without encrypting it (CVE-2016-2306). Another high severity issue is a SQL injection flaw (CVE-2016-2299) that can be exploited by a remote attacker to execute arbitrary SQL queries. The lack of HTTPOnly flags on session cookies (CVE-2016-2304), which could allow an attacker to steal cookies and use them to log in as an administrator, has also been classified as a high severity issue.
Several medium severity vulnerabilities have also been identified by Richerson and Seeley, including cross-site scripting (XSS), improper neutralization of special elements in HTTP headers, SQL injection, improper authorization on sensitive pages, and information disclosure flaws.
Ecava patched most of these vulnerabilities and made some security improvements with the release of IntegraXor version 5.0 build 4522. All previous versions are affected.