Vulnerabilities Found in Several SCADA Products

ICS-CERT published advisories this week for a series of vulnerabilities affecting SCADA products from Resource Data Management, IBC Solar and EasyIO.

The flaws detailed in ICS-CERT’s advisories were discovered and reported by security researcher Maxim Rupp.

The expert has identified a couple of vulnerabilities in Data Manager, a web-based SCADA monitoring system made by energy and building controls company Resource Data Management (RDM). The more serious of these issues is a privilege escalation bug (CVE-2015-6470) that can be exploited by a valid user to change the passwords of other users, including administrators.

Rupp told SecurityWeek that this is a serious vulnerability, especially since the affected product is used in hospitals and railway stations.

Another security hole found in RDM’s Data Manager application is a cross-site request forgery (CSRF) that an attacker can exploit to perform actions on behalf of authenticated users by tricking them into visiting a specially crafted page (CVE-2015-6468).

The Data Manager vulnerabilities, reported by Rupp in mid-August, can be exploited by a remote attacker with low skill. RDM has released version 2.2 of the application to address the issues.

A different advisory published by ICS-CERT this week describes three types of vulnerabilities found by Rupp in SCADA systems offered by IBC Solar, a Germany-based photovoltaic solutions provider specializing in solar modules, solar power plants and inverters. The affected products are ServeMaster TLP+ and Danfoss TLX Pro+ inverters.

One of the bugs is caused by an incorrect default setting in the impacted products. The flaw can be exploited by a remote attacker to obtain the application’s source code and read configuration files, Rupp told SecurityWeek.

The expert has also identified the existence of plain text passwords in the source code of web pages, and multiple cross-site scripting (XSS) vulnerabilities. The following CVE identifiers have been assigned to the IBC Solar product bugs: CVE-2015-6469, CVE-2015-6474 and CVE-2015-6475.

Rupp says he has identified roughly 2,000 hosts running the vulnerable applications.

The vulnerabilities were reported in March 2015, but a fix has yet to be released. IBC Solar representatives told SecurityWeek that they will discuss the issues with the manufacturer of IBC ServeMaster, SMA Solar Technology, which acquired Danfoss’ solar inverter business in 2014.

IBC Solar has pointed out that IBC ServeMaster has never been available on the U.S. market. The company’s products are used in the energy sector in several European and Asian countries.

An advisory published by ICS-CERT on Thursday details a hardcoded credentials vulnerability (CVE-2015-3974) found by Rupp in EasyIO-30P-SF, a rugged, network centric, high performance, multi-protocol I/O controller used in various sectors across the world.

The hardcoded password that exists in this product allows a remote attacker with low skill to gain unrestricted access to the controller.

EasyIO has released a patch to address the vulnerability. The fix has also been provided to the nine OEM vendors whose products are affected by the issue, including Accutrol, Bar-Tech Automation, Infocon/EasyIO, Honeywell Automation India, Johnson Controls Group, SyxthSENSE, Transformative Wave Technologies, Tridium Asia Pacific, and Tridium Europe.

Related: Learn More at the ICS Cyber Security Conference

Related: Flaw in Fingerprint Access Devices Could Make It Easy to Open Doors

Related: Alerts Issued for Zero-Day Flaws in SCADA Systems