Meteocontrol created a new version to mitigate one authentication and two information exposure vulnerabilities in its WEB’log application, according to a report on ICS-CERT.
These vulnerabilities, discovered by Independent researcher Karn Ganeshen, are remotely exploitable.
The following WEB’log products suffer from the vulnerabilities:
• Basic 100 all versions
• Light all versions
• Pro all versions
• Pro Unlimited all versions
Sensitive information can end up accessed, and admin login pages are accessible without being authenticated.
Successful exploitation of these vulnerabilities can allow silent execution of unauthorized actions on the device such as modifying plant data; modifying modbus/inverter/other devices; configuration parameters; and saving modified configuration and device reboot.
Meteocontrol is a Germany-based company that maintains offices in several countries around the world, including the U.S., China, Italy, Spain, France, Switzerland, and Israel.
The affected products, WEB’log, are web-based SCADA systems that provide functions to manage energy and power configurations in different connected (energy/industrial) devices. WEB’log sees action across several sectors including commercial facilities, critical manufacturing, energy, and water and wastewater systems. Meteocontrol said these products see use mainly in Europe with a small percentage in the United States.
All application functionality, and configuration pages, including those accessible after administrative login, can end up accessed without any authentication.
CVE-2016-2296 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.4.
In addition, the application has a hidden/obscured access command shell-like feature that allows anyone to run a restricted set of system commands. This shell can end up accessed directly without any authentication.
CVE-2016-2297 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.4.
There is no Cross-Site Request Forgery Token generated per page or per function.
CVE-2016-4504 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.4 .
Also, there is a sensitive information exposure where information ends up stored in clear-text.
CVE-2016-2298 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
Meteocontrol strongly recommends users install the WEB’log behind a firewall. It should not end up used with a direct connection to the Internet. Meteocontrol has produced a new version that fixes the vulnerabilities.