ICS-CERT published advisories this week for a series of vulnerabilities affecting SCADA products from Resource Data Management, IBC Solar and EasyIO.
The flaws detailed in ICS-CERT’s advisories were discovered and reported by security researcher Maxim Rupp.
The expert has identified a couple of vulnerabilities in Data Manager, a web-based SCADA monitoring system made by energy and building controls company Resource Data Management (RDM). The more serious of these issues is a privilege escalation bug (CVE-2015-6470) that can be exploited by a valid user to change the passwords of other users, including administrators.
Rupp told SecurityWeek that this is a serious vulnerability, especially since the affected product is used in hospitals and railway stations.
Another security hole found in RDM’s Data Manager application is a cross-site request forgery (CSRF) that an attacker can exploit to perform actions on behalf of authenticated users by tricking them into visiting a specially crafted page (CVE-2015-6468).
The Data Manager vulnerabilities, reported by Rupp in mid-August, can be exploited by a remote attacker with low skill. RDM has released version 2.2 of the application to address the issues.
A different advisory published by ICS-CERT this week describes three types of vulnerabilities found by Rupp in SCADA systems offered by IBC Solar, a Germany-based photovoltaic solutions provider specializing in solar modules, solar power plants and inverters. The affected products are ServeMaster TLP+ and Danfoss TLX Pro+ inverters.
One of the bugs is caused by an incorrect default setting in the impacted products. The flaw can be exploited by a remote attacker to obtain the application’s source code and read configuration files, Rupp told SecurityWeek.
The expert has also identified the existence of plain text passwords in the source code of web pages, and multiple cross-site scripting (XSS) vulnerabilities. The following CVE identifiers have been assigned to the IBC Solar product bugs: CVE-2015-6469, CVE-2015-6474 and CVE-2015-6475.
Rupp says he has identified roughly 2,000 hosts running the vulnerable applications.
The vulnerabilities were reported in March 2015, but a fix has yet to be released. IBC Solar representatives told SecurityWeek that they will discuss the issues with the manufacturer of IBC ServeMaster, SMA Solar Technology, which acquired Danfoss’ solar inverter business in 2014.
IBC Solar has pointed out that IBC ServeMaster has never been available on the U.S. market. The company’s products are used in the energy sector in several European and Asian countries.
An advisory published by ICS-CERT on Thursday details a hardcoded credentials vulnerability (CVE-2015-3974) found by Rupp in EasyIO-30P-SF, a rugged, network centric, high performance, multi-protocol I/O controller used in various sectors across the world.
The hardcoded password that exists in this product allows a remote attacker with low skill to gain unrestricted access to the controller.
EasyIO has released a patch to address the vulnerability. The fix has also been provided to the nine OEM vendors whose products are affected by the issue, including Accutrol, Bar-Tech Automation, Infocon/EasyIO, Honeywell Automation India, Johnson Controls Group, SyxthSENSE, Transformative Wave Technologies, Tridium Asia Pacific, and Tridium Europe.
Related: Learn More at the ICS Cyber Security Conference
Related: Flaw in Fingerprint Access Devices Could Make It Easy to Open Doors
Related: Alerts Issued for Zero-Day Flaws in SCADA Systems

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Latest News
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- Microsoft Will Pay $20M to Settle US Charges of Illegally Collecting Children’s Data
- KeePass Update Patches Vulnerability Exposing Master Password
