Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Meteocontrol Patches Flaws in Photovoltaic Data Logger

Meteocontrol, a Germany-based company that specializes in solar performance monitoring solutions, has released an update for one of its data logging products to address several remotely exploitable vulnerabilities.

Meteocontrol, a Germany-based company that specializes in solar performance monitoring solutions, has released an update for one of its data logging products to address several remotely exploitable vulnerabilities.

Security researcher Karn Ganeshen discovered that Meteocontrol’s WEB’log product, which allows organizations to centrally record data for their photovoltaic systems, is plagued by critical authentication and information exposure flaws. The issues were reported to the vendor through ICS-CERT in December 2015.

The vulnerable SCADA system is used in Europe and the United States (a small percentage) in the energy, water, critical manufacturing and commercial facilities sectors.

Ganeshen discovered that the WEB’log administration interface does not enforce access control and any webpage is directly accessible through its URL (CVE-2016-2296). The researcher also found a default login password, and that the administrator password is stored in clear text and it can be easily obtained (CVE-2016-2298).

Ganeshen also identified a command shell-like feature that allows anyone to execute system commands without authentication (CVE-2016-2297). While the vendor noted that the feature cannot be used to run critical system commands, the expert believes it introduces unnecessary risks.

In a blog post published on Saturday, the researcher revealed the existence of a cross-site request forgery (CSRF) flaw that can be exploited to perform actions on behalf of the user.

Meteocontrol WEBlog

“Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as modifying plant data, modifying modbus/inverter/any other PLC devices, changing Administrator password, changing configuration parameters, saving modified configuration, & device reboot,” Ganeshen said.

This vulnerability was reported to ICS-CERT at a later time so it might not have been patched.

Advertisement. Scroll to continue reading.

According to an advisory published by ICS-CERT, the vulnerabilities affect all versions of WEB’log Basic 100, Light, Pro and Pro Unlimited. Meteocontrol has released a new version to address the issues.

The flaws can be exploited remotely even by an attacker with low skill. However, the vendor noted that its product should be installed behind a firewall and not directly connected to the Internet.

“There is no security. It is a free play, as you would have noticed,” Ganeshen said. “And the risk is high. Due to access control issues, above described vulnerabilities can be remotely exploited easily, at a mass scale, in an automated manner. At this point, it is easy to write a script that will POST (write) arbitrary configuration parameters to WEB’log applications, and reboot the devices, at a mass scale.”

Meteocontrol is not the only company whose ICS products have been analyzed by Ganeshen. In the past months, the researcher reported vulnerabilities to WAGO, Schneider Electric, Moxa, GE Industrial Solutions, XZERES, Nordex and eWON.

*Updated with additional information from Karn Ganeshen

Related Reading: PLC Worms Can Pose Serious Threat to Industrial Networks

Related Reading: Dam Hackers! The Rising Risks to ICS and SCADA Environments

Registration for 2016 ICS Cyber Security Conference Now Open

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.