There are critical vulnerabilities in a control system that attackers could exploit to sabotage or steal sensitive data from operators of the solar arrays that generate electricity in homes and businesses, the Department of Homeland Security (DHS) said.
The vulnerabilities in a variety of products, including the Sinapsi eSolar Light Photovoltaic System Monitor and the Schneider Electric Ezylog Photovoltaic Management Server, allow unauthorized people to remotely log into the systems and execute commands, warned the DHS-affiliated Industrial Controls Systems Cyber Emergency Response Team in an alert. Other vulnerable devices include the Gavazzi Eos-Box and the Astrid Green Power Guardian. Proof-of-concept code available online makes it easy to exploit some of the bugs.
The advisory comes from a report published last month that disclosed SQL injection vulnerabilities, passwords stored in plain text, hard-coded passwords, and other defects that left the devices open to tampering.
Researchers Roberto Paleari and Ivan Speziale said the vulnerable management server is incorporated into a photovoltaic products from several manufacturers. Paleari said they found the flaws after Speziale purchased a Schneider Electric Ezylog device for his home that used firmware version number 2.0.2736_schel_2.2.6b.
“All the firmware versions we analyzed have been found to be affected by these issues,” the researchers wrote. “The software running on the affected devices is vulnerable to multiple security issues that allow unauthenticated remote attackers to gain administrative access and execute arbitrary commands.”
The researchers said they released the report two weeks after sending at least two emails to the manufacturer and receiving no reply.
Among the most serious vulnerabilities are bugs that make possible SQL injection attacks, which allow hackers to pass commands to a MySQL database connected to a Web interface. “Thus, attackers can easily leverage this issue to access the content of the SQL table that contains all valid username/password combinations (passwords are in plain text),” wrote the researchers.
The researchers also uncovered several pre-configured passwords, including the string “36e44c9b64,” hard-coded into the server’s PHP file. Typing one of these strings into the password field of the server’s login panel will grant access regardless of the corresponding username entered. The user cannot change or remove these passwords.