Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.1113
ICSA-12-325-01 - SINAPSI DEVICES MULTIPLE VULNERABILITIES
26 November 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Sinapsi eSolar
Sinapsi eSolar DUO
Sinapsi eSolar Light
Publisher: US-CERT
Operating System: Network Appliance
Impact/Access: Administrator Compromise -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5864 CVE-2012-5863 CVE-2012-5862
CVE-2012-5861
Original Bulletin:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-325-01.pdf
Comment: ICS-CERT has stated that exploits that target these vulnerabilities
are publicly available.
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS-CERT ADVISORY
ICSA-12-325-01 - SINAPSI DEVICES MULTIPLE VULNERABILITIES
November 20, 2012
OVERVIEW
This advisory is a follow-up to the alert titled ICS-ALERT-12-284-01 - Sinapsi
eSolar Light Multiple Vulnerabilities that was published October 10, 2012, on
the ICS-CERT Web page. [a]
Independent researchers Roberto Paleari and Ivan Speziale identified four
vulnerabilities and released proof-of-concept (exploit) code for the Sinapsi
eSolar Light Photovoltaic System Monitor without coordination with ICS-CERT,
this vendor, or any other coordinating entity known to ICS-CERT.
The eSolar Light has also been sold with different brands and names. Successful
exploitation of the vulnerabilities would allow an attacker to gain
unauthorized access, access private information, and execute remote code. The
eSolar Light is a monitoring system used in solar power applications. However,
Sinapsi also reports that other Sinapsi devices (eSolar, eSolar DUO, eSolar
Light) are vulnerable to these vulnerabilities. These devices are used in the
Energy Sector.
AFFECTED PRODUCTS
The following Sinapsi devices with firmware prior to Version
2.0.2870_xxx_2.2.12 are affected:
* eSolar,
* eSolar DUO, and,
* eSolar Light.
This product is provided subject only to the Notification Section as indicated
here: http://www.us-cert.gov/privacy/
IMPACT
Malicious attackers could use the vulnerabilities to exploit the device by
gaining unauthorized access in the system, leaking stored information, and
remotely executing code on the device. This could allow a loss of availability,
integrity, and confidentiality of the affected system. Because Sinapsi devices
are primarily used for control and monitoring of energy systems, the Energy
Sector is affected. Some Sinapsi devices are also used for building automation.
Impact to individual organizations depends on many factors that are unique to
each organization. ICS-CERT recommends that organizations evaluate the impact
of these vulnerabilities based on their operational environment, architecture,
and product implementation.
BACKGROUND
Sinapsi is an Italian-based company that sells devices used for energy
monitoring and management as well as building automation applications.
The affected products are Web-based SCADA monitoring and management systems.
According to Sinapsi, the products are deployed across the Energy Sector and
also used for building automation. Sinapsi estimates that these products are
used primarily in Italy, but some vendors have marketed the products in the
United States and other countries.
VULNERABILITY CHARACTERIZATION
VULNERABILITY OVERVIEW
HARD-CODED CREDENTIALS [b]
The Sinapsi devices store hard-coded passwords in the PHP file of the device.
By using the hard-coded passwords in the device, attackers can log into the
device with administrative privileges. This could allow the attacker to have
unauthorized access.
CVE-2012-5862 [c] has been assigned to this vulnerability. A CVSS v2 base
score of 10.0 has been assigned; the CVSS vector string is
(AV:N/AC:L/Au:N/C:C/I:C/A:C). [d]
SQL INJECTION [e]
The Sinapsi devices do not check the validity of the data before executing
queries. By accessing the SQL table of certain pages that do not require
authentication within the device, attackers can leak information from the
device. This could allow the attacker to compromise confidentiality.
CVE-2012-5861 [f] has been assigned to this vulnerability. A CVSS v2 base
score of 7.8 has been assigned; the CVSS vector string is
(AV:N/AC:L/Au:N/C:C/I:N/A:N). [g]
OPERATING SYSTEM COMMAND INJECTION [h]
The Sinapsi devices do not check for special elements in commands sent to the
system. By accessing certain pages with administrative privileges that do not
require authentication within the device, attackers can execute arbitrary,
unexpected, or dangerous commands directly onto the operating system.
CVE-2012-5863 [i] has been assigned to this vulnerability. A CVSS v2 base score of
10.0 has been assigned; the CVSS vector string is
(AV:N/AC:L/Au:N/C:C/I:C/A:C). [j]
BROKEN SESSION ENFORCEMENT [k]
The Sinapsi devices do not check if users that visit pages within the device
have properly authenticated. By directly visiting the pages within the device,
attackers can gain unauthorized access with administrative privileges.
CVE-2012-5864 [l] has been assigned to this vulnerability. A CVSS v2 base
score of 9.4 has been assigned; the CVSS vector string is
(AV:N/AC:L/Au:N/C:C/I:C/A:N). [m]
VULNERABILITY DETAILS
EXPLOITABILITY
These vulnerabilities could be exploited remotely.
EXISTENCE OF EXPLOIT
Exploits that target these vulnerabilities are publicly available.
DIFFICULTY
An attacker with a low skill would be able to exploit these vulnerabilities.
MITIGATION
Sinapsi has developed a new firmware version 2.0.2870_2.2.12 that mitigates
these vulnerabilities. Sinapsi released the new firmware on Monday, November
19, 2012 directly to the devices. Users will be able to manually download the
firmware on their device by using the Firmware Update function in the System
Menu in the devices Web interface. Sinapsi has also posted a security
newsletter to its public Web site. [n]
Other affected vendors have been notified by Sinapsi and ICS-CERT, but the
availability of new firmware upgrades are unknown by ICS-CERT at this time.
ICS-CERT encourages asset owners to take additional defensive measures to
protect against this and other cybersecurity risks.
* Minimize network exposure for all control system devices. Critical devices
should not directly face the Internet.
* Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
* When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPN is only as secure as the connected
devices.
ICS-CERT also provides a section for control systems security recommended
practices on the US-CERT Web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies.o ICS-CERT reminds organizations
to perform proper impact analysis and risk assessment prior to taking defensive
measures.
Additional mitigation guidance and recommended practices are publicly available
in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01ACyber Intrusion
Mitigation Strategies, [p] that is available for download from the ICS-CERT Web
page (www.ics-cert.org).
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to ICS-CERT for
tracking and correlation against other incidents.
In addition, ICS-CERT recommends that users take the following measures to
protect themselves from social engineering attacks:
1. Do not click Web links or open unsolicited attachments in email messages.
2. Refer to Recognizing and Avoiding Email Scamsq for more information on
avoiding email scams.
3. Refer to Avoiding Social Engineering and Phishing Attacksr for more
information on social engineering attacks.
ICS-CERT CONTACT
For any questions related to this report, please contact ICS-CERT at:
Email: ics-cert@dhs.gov
Toll Free: 1-877-776-7585
For industrial control systems security information and incident reporting:
www.ics-cert.org
ICS-CERT continuously strives to improve its products and services. You can
help by answering a short series of questions about this product at the
following URL: https://forms.us-cert.gov/ncsd-feedback/.
DOCUMENT FAQ
What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide
awareness or solicit feedback from critical infrastructure owners and
operators concerning ongoing cyber events or activity with the potential to
impact critical infrastructure computing networks.
When is vulnerability attribution provided to researchers? Attribution for
vulnerability discovery is always provided to the vulnerability reporter
unless the reporter notifies ICS-CERT that they wish to remain anonymous.
ICS-CERT encourages researchers to coordinate vulnerability details before
public release. The public release of vulnerability details prior to the
development of proper mitigations may put industrial control systems and the
public at avoidable risk.
a. ICS-ALERT-12-284-01.Sinapsi eSolar Light Photovoltaic System Monitor
Multiple Vulnerabilities,
http://www.us-cert.gov/controlsystems/pdf/ICS-ALERT-12-284-01.pdf, Web site
last visited November 20, 2012.
b. CWE, http://cwemitre.org/data/definitions/259.html, CWE-259: Hard-Coded
Password, Web site last accessed November 20, 2012.
c. NVD, http://webnvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5862 ,
NIST uses this advisory to create the CVE Web site report. This Web site
will be active sometime after publication of this advisory.
d. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C),
Web site last visited November 20, 2012.
e. CWE, http://cwe.mitre.org/data/definitions/89.html, CWE-89: SQL Injection,
Web site last accessed November 20, 2012.
f. NVD, http://web.nvdnist.gov/view/vuln/detail?vulnId=CVE-2012-5861, NIST
uses this advisory to create the CVE Web site report. This Web site will be
active sometime after publication of this advisory.
g. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:N/A:N),
Web site last visited November 20, 2012.
h. CWE, http://cwemitre.org/data/definitions/78html, CWE-78: OS Command
Injection, Web site last accessed November 20, 2012.
i. NVD, http://webnvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5863 , NIST
uses this advisory to create the CVE Web site report. This Web site will be
active sometime after publication of this advisory.
j. CVSS Calculator, http://nvdnist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C),
Web site last visited November 20, 2012.
k. CWE, http://cwemitre.org/data/definitions/287.html, CWE-287: Improper
Authentication, Web site last accessed November 20, 2012.
l. NVD, http://webnvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5864 , NIST
uses this advisory to create the CVE Web site report. This Web site will be
active sometime after publication of this advisory.
m. CVSS Calculator, http://nvdnist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:N),
Web site last visited November 20, 2012.
n. Sinapsi Security Pack New Release (Italian),
http://www.sinapsitech.it/default.asp?activepageid=78&newsid=88, Web site last
visited November 20, 2012.
o. CSSP Recommended Practices, http://www.us-cert.gov/controlsystems/practices/RecommendedPractices.html,
Web site last accessed November 20, 2012.
p. Cyber Intrusion Mitigation Strategies, http://www.us-cert.gov/controlsystems/pdf/ICS-TIP-12-146-01A.pdf,
Web site last accessed November 20, 2012.
q. Recognizing and Avoiding Email Scams, http://www.us-cert.gov/readingroom/emailscams0905.pdf,
Web site last accessed November 20, 2012.
r. National Cyber Alert System Cyber Security Tip ST04-014,
http://www.us-cert.gov/cas/tips/ST04-014html, Web site last accessed
November 20, 2012.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBULLUge4yVqjM2NGpAQIOuA/6A4i0+mLGURtj4giQ1POjGjIet3USd9EM
Jj3wpezhXUcDJNIwDCYlgjuGqOP3m/LMYNg38qd1QzXKC1JqGekWzBs/6n8qIJFb
OE0jI7MKpkgxPckqzS8uoMAVM6VK8+ZDPcrtPschZjHSUPwHStz+pPXTdONaH7QY
sYOdD5j9wpAzRTBM5cDOciu6RBfzOkQrFUpt/ba4bgYvFWC6TPu/U5rDItlGGxfc
IiMtZUHJADPPX2vx48CBjH+aJzgvx0yS4b80UN62KvFbh+7jDmWiU1mUTH1EHv4b
Mt3UYhA2tOCMFfmAPoGBYfE3ee0xgYkgXumilhM35JDNhv3z2cjK1MneZoF3NWtA
NAPSHwkQY3F3Dh+iYvTOhFn1+cnfl1SP+hrgBXXPnmDgKJl0DZCEcj24Rv8DfsrB
g7cx+4BJEPXZnl1ws1Z8INjpQGQiZu1ifzgcBNMKGhyTGYvLWAUZxCVIs+6zvDOB
X/bWl+1IJO2ougMiIChLUr3HdPX4uDOowSit1sNp3lULF62Vlv+7jt6puD8Qu1CS
LPIpoxzTWIm4COkheAKOi/iBa4wcL8E/TzInZo3LPOiFA8lp4Id35eOtV73XsGO0
g4Kehntjafb4yxdClxiQy23AZX7QTbvQV0s5koIapt6P0jiqS2ab7/p1vKDwnB1j
59QBeJdQS7U=
=nn9S
-----END PGP SIGNATURE-----