Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.1113 ICSA-12-325-01 - SINAPSI DEVICES MULTIPLE VULNERABILITIES 26 November 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Sinapsi eSolar Sinapsi eSolar DUO Sinapsi eSolar Light Publisher: US-CERT Operating System: Network Appliance Impact/Access: Administrator Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-5864 CVE-2012-5863 CVE-2012-5862 CVE-2012-5861 Original Bulletin: http://www.us-cert.gov/control_systems/pdf/ICSA-12-325-01.pdf Comment: ICS-CERT has stated that exploits that target these vulnerabilities are publicly available. - --------------------------BEGIN INCLUDED TEXT-------------------- ICS-CERT ADVISORY ICSA-12-325-01 - SINAPSI DEVICES MULTIPLE VULNERABILITIES November 20, 2012 OVERVIEW This advisory is a follow-up to the alert titled ICS-ALERT-12-284-01 - Sinapsi eSolar Light Multiple Vulnerabilities that was published October 10, 2012, on the ICS-CERT Web page. [a] Independent researchers Roberto Paleari and Ivan Speziale identified four vulnerabilities and released proof-of-concept (exploit) code for the Sinapsi eSolar Light Photovoltaic System Monitor without coordination with ICS-CERT, this vendor, or any other coordinating entity known to ICS-CERT. The eSolar Light has also been sold with different brands and names. Successful exploitation of the vulnerabilities would allow an attacker to gain unauthorized access, access private information, and execute remote code. The eSolar Light is a monitoring system used in solar power applications. However, Sinapsi also reports that other Sinapsi devices (eSolar, eSolar DUO, eSolar Light) are vulnerable to these vulnerabilities. These devices are used in the Energy Sector. AFFECTED PRODUCTS The following Sinapsi devices with firmware prior to Version 2.0.2870_xxx_2.2.12 are affected: * eSolar, * eSolar DUO, and, * eSolar Light. This product is provided subject only to the Notification Section as indicated here: http://www.us-cert.gov/privacy/ IMPACT Malicious attackers could use the vulnerabilities to exploit the device by gaining unauthorized access in the system, leaking stored information, and remotely executing code on the device. This could allow a loss of availability, integrity, and confidentiality of the affected system. Because Sinapsi devices are primarily used for control and monitoring of energy systems, the Energy Sector is affected. Some Sinapsi devices are also used for building automation. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. BACKGROUND Sinapsi is an Italian-based company that sells devices used for energy monitoring and management as well as building automation applications. The affected products are Web-based SCADA monitoring and management systems. According to Sinapsi, the products are deployed across the Energy Sector and also used for building automation. Sinapsi estimates that these products are used primarily in Italy, but some vendors have marketed the products in the United States and other countries. VULNERABILITY CHARACTERIZATION VULNERABILITY OVERVIEW HARD-CODED CREDENTIALS [b] The Sinapsi devices store hard-coded passwords in the PHP file of the device. By using the hard-coded passwords in the device, attackers can log into the device with administrative privileges. This could allow the attacker to have unauthorized access. CVE-2012-5862 [c] has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C). [d] SQL INJECTION [e] The Sinapsi devices do not check the validity of the data before executing queries. By accessing the SQL table of certain pages that do not require authentication within the device, attackers can leak information from the device. This could allow the attacker to compromise confidentiality. CVE-2012-5861 [f] has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:N/A:N). [g] OPERATING SYSTEM COMMAND INJECTION [h] The Sinapsi devices do not check for special elements in commands sent to the system. By accessing certain pages with administrative privileges that do not require authentication within the device, attackers can execute arbitrary, unexpected, or dangerous commands directly onto the operating system. CVE-2012-5863 [i] has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C). [j] BROKEN SESSION ENFORCEMENT [k] The Sinapsi devices do not check if users that visit pages within the device have properly authenticated. By directly visiting the pages within the device, attackers can gain unauthorized access with administrative privileges. CVE-2012-5864 [l] has been assigned to this vulnerability. A CVSS v2 base score of 9.4 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:N). [m] VULNERABILITY DETAILS EXPLOITABILITY These vulnerabilities could be exploited remotely. EXISTENCE OF EXPLOIT Exploits that target these vulnerabilities are publicly available. DIFFICULTY An attacker with a low skill would be able to exploit these vulnerabilities. MITIGATION Sinapsi has developed a new firmware version 2.0.2870_2.2.12 that mitigates these vulnerabilities. Sinapsi released the new firmware on Monday, November 19, 2012 directly to the devices. Users will be able to manually download the firmware on their device by using the Firmware Update function in the System Menu in the devices Web interface. Sinapsi has also posted a security newsletter to its public Web site. [n] Other affected vendors have been notified by Sinapsi and ICS-CERT, but the availability of new firmware upgrades are unknown by ICS-CERT at this time. ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks. * Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. * Locate control system networks and remote devices behind firewalls, and isolate them from the business network. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices. ICS-CERT also provides a section for control systems security recommended practices on the US-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.o ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures. Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01ACyber Intrusion Mitigation Strategies, [p] that is available for download from the ICS-CERT Web page (www.ics-cert.org). Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks: 1. Do not click Web links or open unsolicited attachments in email messages. 2. Refer to Recognizing and Avoiding Email Scamsq for more information on avoiding email scams. 3. Refer to Avoiding Social Engineering and Phishing Attacksr for more information on social engineering attacks. ICS-CERT CONTACT For any questions related to this report, please contact ICS-CERT at: Email: ics-cert@dhs.gov Toll Free: 1-877-776-7585 For industrial control systems security information and incident reporting: www.ics-cert.org ICS-CERT continuously strives to improve its products and services. You can help by answering a short series of questions about this product at the following URL: https://forms.us-cert.gov/ncsd-feedback/. DOCUMENT FAQ What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide awareness or solicit feedback from critical infrastructure owners and operators concerning ongoing cyber events or activity with the potential to impact critical infrastructure computing networks. When is vulnerability attribution provided to researchers? Attribution for vulnerability discovery is always provided to the vulnerability reporter unless the reporter notifies ICS-CERT that they wish to remain anonymous. ICS-CERT encourages researchers to coordinate vulnerability details before public release. The public release of vulnerability details prior to the development of proper mitigations may put industrial control systems and the public at avoidable risk. a. ICS-ALERT-12-284-01.Sinapsi eSolar Light Photovoltaic System Monitor Multiple Vulnerabilities, http://www.us-cert.gov/controlsystems/pdf/ICS-ALERT-12-284-01.pdf, Web site last visited November 20, 2012. b. CWE, http://cwemitre.org/data/definitions/259.html, CWE-259: Hard-Coded Password, Web site last accessed November 20, 2012. c. NVD, http://webnvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5862 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. d. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C), Web site last visited November 20, 2012. e. CWE, http://cwe.mitre.org/data/definitions/89.html, CWE-89: SQL Injection, Web site last accessed November 20, 2012. f. NVD, http://web.nvdnist.gov/view/vuln/detail?vulnId=CVE-2012-5861, NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. g. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:N/A:N), Web site last visited November 20, 2012. h. CWE, http://cwemitre.org/data/definitions/78html, CWE-78: OS Command Injection, Web site last accessed November 20, 2012. i. NVD, http://webnvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5863 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. j. CVSS Calculator, http://nvdnist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C), Web site last visited November 20, 2012. k. CWE, http://cwemitre.org/data/definitions/287.html, CWE-287: Improper Authentication, Web site last accessed November 20, 2012. l. NVD, http://webnvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5864 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. m. CVSS Calculator, http://nvdnist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:N), Web site last visited November 20, 2012. n. Sinapsi Security Pack New Release (Italian), http://www.sinapsitech.it/default.asp?activepageid=78&newsid=88, Web site last visited November 20, 2012. o. CSSP Recommended Practices, http://www.us-cert.gov/controlsystems/practices/RecommendedPractices.html, Web site last accessed November 20, 2012. p. Cyber Intrusion Mitigation Strategies, http://www.us-cert.gov/controlsystems/pdf/ICS-TIP-12-146-01A.pdf, Web site last accessed November 20, 2012. q. Recognizing and Avoiding Email Scams, http://www.us-cert.gov/readingroom/emailscams0905.pdf, Web site last accessed November 20, 2012. r. National Cyber Alert System Cyber Security Tip ST04-014, http://www.us-cert.gov/cas/tips/ST04-014html, Web site last accessed November 20, 2012. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBULLUge4yVqjM2NGpAQIOuA/6A4i0+mLGURtj4giQ1POjGjIet3USd9EM Jj3wpezhXUcDJNIwDCYlgjuGqOP3m/LMYNg38qd1QzXKC1JqGekWzBs/6n8qIJFb OE0jI7MKpkgxPckqzS8uoMAVM6VK8+ZDPcrtPschZjHSUPwHStz+pPXTdONaH7QY sYOdD5j9wpAzRTBM5cDOciu6RBfzOkQrFUpt/ba4bgYvFWC6TPu/U5rDItlGGxfc IiMtZUHJADPPX2vx48CBjH+aJzgvx0yS4b80UN62KvFbh+7jDmWiU1mUTH1EHv4b Mt3UYhA2tOCMFfmAPoGBYfE3ee0xgYkgXumilhM35JDNhv3z2cjK1MneZoF3NWtA NAPSHwkQY3F3Dh+iYvTOhFn1+cnfl1SP+hrgBXXPnmDgKJl0DZCEcj24Rv8DfsrB g7cx+4BJEPXZnl1ws1Z8INjpQGQiZu1ifzgcBNMKGhyTGYvLWAUZxCVIs+6zvDOB X/bWl+1IJO2ougMiIChLUr3HdPX4uDOowSit1sNp3lULF62Vlv+7jt6puD8Qu1CS LPIpoxzTWIm4COkheAKOi/iBa4wcL8E/TzInZo3LPOiFA8lp4Id35eOtV73XsGO0 g4Kehntjafb4yxdClxiQy23AZX7QTbvQV0s5koIapt6P0jiqS2ab7/p1vKDwnB1j 59QBeJdQS7U= =nn9S -----END PGP SIGNATURE-----