Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Vulnerabilities Found in Several SCADA Products

ICS-CERT published advisories this week for a series of vulnerabilities affecting SCADA products from Resource Data Management, IBC Solar and EasyIO.

The flaws detailed in ICS-CERT’s advisories were discovered and reported by security researcher Maxim Rupp.

ICS-CERT published advisories this week for a series of vulnerabilities affecting SCADA products from Resource Data Management, IBC Solar and EasyIO.

The flaws detailed in ICS-CERT’s advisories were discovered and reported by security researcher Maxim Rupp.

The expert has identified a couple of vulnerabilities in Data Manager, a web-based SCADA monitoring system made by energy and building controls company Resource Data Management (RDM). The more serious of these issues is a privilege escalation bug (CVE-2015-6470) that can be exploited by a valid user to change the passwords of other users, including administrators.

Rupp told SecurityWeek that this is a serious vulnerability, especially since the affected product is used in hospitals and railway stations.

Another security hole found in RDM’s Data Manager application is a cross-site request forgery (CSRF) that an attacker can exploit to perform actions on behalf of authenticated users by tricking them into visiting a specially crafted page (CVE-2015-6468).

The Data Manager vulnerabilities, reported by Rupp in mid-August, can be exploited by a remote attacker with low skill. RDM has released version 2.2 of the application to address the issues.

A different advisory published by ICS-CERT this week describes three types of vulnerabilities found by Rupp in SCADA systems offered by IBC Solar, a Germany-based photovoltaic solutions provider specializing in solar modules, solar power plants and inverters. The affected products are ServeMaster TLP+ and Danfoss TLX Pro+ inverters.

Advertisement. Scroll to continue reading.

One of the bugs is caused by an incorrect default setting in the impacted products. The flaw can be exploited by a remote attacker to obtain the application’s source code and read configuration files, Rupp told SecurityWeek.

The expert has also identified the existence of plain text passwords in the source code of web pages, and multiple cross-site scripting (XSS) vulnerabilities. The following CVE identifiers have been assigned to the IBC Solar product bugs: CVE-2015-6469, CVE-2015-6474 and CVE-2015-6475.

Rupp says he has identified roughly 2,000 hosts running the vulnerable applications.

The vulnerabilities were reported in March 2015, but a fix has yet to be released. IBC Solar representatives told SecurityWeek that they will discuss the issues with the manufacturer of IBC ServeMaster, SMA Solar Technology, which acquired Danfoss’ solar inverter business in 2014.

IBC Solar has pointed out that IBC ServeMaster has never been available on the U.S. market. The company’s products are used in the energy sector in several European and Asian countries.

An advisory published by ICS-CERT on Thursday details a hardcoded credentials vulnerability (CVE-2015-3974) found by Rupp in EasyIO-30P-SF, a rugged, network centric, high performance, multi-protocol I/O controller used in various sectors across the world.

The hardcoded password that exists in this product allows a remote attacker with low skill to gain unrestricted access to the controller.

EasyIO has released a patch to address the vulnerability. The fix has also been provided to the nine OEM vendors whose products are affected by the issue, including Accutrol, Bar-Tech Automation, Infocon/EasyIO, Honeywell Automation India, Johnson Controls Group, SyxthSENSE, Transformative Wave Technologies, Tridium Asia Pacific, and Tridium Europe.

Related: Learn More at the ICS Cyber Security Conference

Related: Flaw in Fingerprint Access Devices Could Make It Easy to Open Doors

Related: Alerts Issued for Zero-Day Flaws in SCADA Systems

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

ICS/OT

More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.