St. Petersburg, Russia-based BINOM3 has multiple vulnerabilities in its electric power quality meter, according to a report with ICS-CERT.
The remotely exploitable vulnerabilities, discovered by researcher Karn Ganeshen, include cross-site scripting, access control issues, cross-site request forgery (CSRF), sensitive information stored in clear-text, and weak credentials management.
The BINOM3 Universal multifunctional electric power quality meter suffers from the issues.
Successful exploitation of these vulnerabilities could cause the device to inaccurately report a range of electrical quality measurements.
BINOM3 has not created mitigations for these vulnerabilities. The product sees action in the energy sector and sees use mainly in Russia.
No known public exploits specifically target these vulnerabilities, however, an attacker with low skill level could leverage the vulnerabilities.
In the cross-site scripting vulnerability, an input sent from a malicious client does not end up properly verified by the server. An attacker can execute arbitrary script code in another user’s browser session.
CVE-2017-5164 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
In addition, there is an improper access control issue where there is a lack of authentication for remote service, which gives access to application set up and configuration.
CVE-2017-5162 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.
Also, there is no CSRF Token generated per page and/or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.
CVE-2017-5165 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
An information exposure flaw can end up used to gain privileged access to the device.
CVE-2017-5166 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
Also, there is a hard-coded password flaw where users do not have any option to change their own passwords.
CVE-2017-5167 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.