Satel Iberia released an upgrade to mitigate a command injection vulnerability in its SenNet Data Logger and Electricity Meters, according to a report with ICS-CERT.
Successful exploitation of this remotely exploitable vulnerability, discovered by Karn Ganeshan, could allow the attacker to gain root privilege to run arbitrary commands and change system data.
The following versions of SenNet Data Logger and Electricity Meters, monitoring platforms, are affected:
• SenNet Optimal DataLogger V5.37c-1.43c and prior
• SenNet Solar Datalogger V5.03-1.56a and prior
• SenNet Multitask Meter V5.21a-1.18b and prior
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
The product sees use in the critical manufacturing, energy and transportation systems. It sees action in the Americas and Europe.
Successful exploitation of this vulnerability could result in the attacker breaking out of the jailed shell and gaining full access to the system.
CVE-2017-6048 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
Satel Iberia, which has its headquarters in Spain, recommends affected users upgrade to the latest version available. The latest version can end up obtained by emailing Satel Iberia support.