Meteocontrol, a Germany-based company that specializes in solar performance monitoring solutions, has released an update for one of its data logging products to address several remotely exploitable vulnerabilities.
Security researcher Karn Ganeshen discovered that Meteocontrol’s WEB’log product, which allows organizations to centrally record data for their photovoltaic systems, is plagued by critical authentication and information exposure flaws. The issues were reported to the vendor through ICS-CERT in December 2015.
The vulnerable SCADA system is used in Europe and the United States (a small percentage) in the energy, water, critical manufacturing and commercial facilities sectors.
Ganeshen discovered that the WEB’log administration interface does not enforce access control and any webpage is directly accessible through its URL (CVE-2016-2296). The researcher also found a default login password, and that the administrator password is stored in clear text and it can be easily obtained (CVE-2016-2298).
Ganeshen also identified a command shell-like feature that allows anyone to execute system commands without authentication (CVE-2016-2297). While the vendor noted that the feature cannot be used to run critical system commands, the expert believes it introduces unnecessary risks.
In a blog post published on Saturday, the researcher revealed the existence of a cross-site request forgery (CSRF) flaw that can be exploited to perform actions on behalf of the user.
“Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as modifying plant data, modifying modbus/inverter/any other PLC devices, changing Administrator password, changing configuration parameters, saving modified configuration, & device reboot,” Ganeshen said.
This vulnerability was reported to ICS-CERT at a later time so it might not have been patched.
According to an advisory published by ICS-CERT, the vulnerabilities affect all versions of WEB’log Basic 100, Light, Pro and Pro Unlimited. Meteocontrol has released a new version to address the issues.
The flaws can be exploited remotely even by an attacker with low skill. However, the vendor noted that its product should be installed behind a firewall and not directly connected to the Internet.
“There is no security. It is a free play, as you would have noticed,” Ganeshen said. “And the risk is high. Due to access control issues, above described vulnerabilities can be remotely exploited easily, at a mass scale, in an automated manner. At this point, it is easy to write a script that will POST (write) arbitrary configuration parameters to WEB’log applications, and reboot the devices, at a mass scale.”
Meteocontrol is not the only company whose ICS products have been analyzed by Ganeshen. In the past months, the researcher reported vulnerabilities to WAGO, Schneider Electric, Moxa, GE Industrial Solutions, XZERES, Nordex and eWON.
*Updated with additional information from Karn Ganeshen
Related Reading: PLC Worms Can Pose Serious Threat to Industrial Networks
Related Reading: Dam Hackers! The Rising Risks to ICS and SCADA Environments