Accuenergy created a firmware upgrade that mitigates two authentication vulnerabilities within its AXM-NET Ethernet module’s web server. The AXM-NET Ethernet module is an accessory for the Acuvim II, according to a report on ICS-CERT.
Independent researcher Laisvis Lingvevicius, who discovered the remotely exploitable vulnerabilities, tested the firmware to validate that it resolves the vulnerabilities.
AXN-NET Ethernet module v.3.04 suffers from the issue.
Accuenergy is a Canada-based company that maintains offices in several countries around the world, including the United States and China, along with Canada.
The affected product, Acuvim II, is a multifunction power metering device. The AXM-NET Ethernet module creates a web page to display data produced by the Acuvim II. According to Accuenergy, Acuvim II deploys in the energy sector. Accuenergy estimates this product sees action primarily in North America and China.
By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access settings without authenticating. Accessible settings end up limited, and include the network settings for the AXM-NET module web server, but not the Acuvim II device.
CVE-2014-2373 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.
CVE-2014-2374 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
Click here to download Accuenergy’s patch.