lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 06 Apr 2017 19:43:53 +0000
From: Karn Ganeshen <karnganeshen@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Carlo Gavazzi VMUC-EM - Multiple Vulnerabilities

*VMU-C Web-Server solution for photovoltaic applications*

VMU-C EM is a data logger system for small to medium projects, VMUC-Y EM is
a hardware data aggregator for medium to larger projects and Em2 Server is
a software solution for large projects. They are designed to complement the
extensive line of Carlo Gavazzi energy meters and current transformers.

*ICS-CERT advisory*
https://ics-cert.us-cert.gov/advisories/ICSA-17-012-03

*CVE-IDs*
CVE-2017-5144
CVE-2017-5145
CVE-2017-5146

*Vulnerable versions*

   - VMU-C EM prior to firmware Version A11_U05, and
   - VMU-C PV prior to firmware Version A17


*1. Weak Credentials Management*
-> admin/admin
-> Application does not enforce mandatory password change

*2. Sensitive Information stored in clear-text*
Accounts menu option
⇒ shows username and password
⇒ passwords shown in clear-text
⇒ SMTP server password
⇒ user and service passwords are stored in clear-text

*3. Access Control flaws*

   1. Access control is not enforced correctly
   2. Certain application functions can be accessed without any
   authentication
   3. Application stores the Energy / Plant data in a sqlite database -
   EWPlant.db. Anyone can dump plant database file - without any authentication

*4. Reflected + Stored XSS - multiple URLs, parameters - *Not documented in
ICS-CERT Advisory

Successful exploitation of this vulnerability could allow an
unauthenticated attacker to inject arbitrary JavaScript in a specially
crafted URL request where the response containing user data is returned to
the web browser without being made safe to display.

*5. Vulnerable to Cross-Site Request Forgery*

There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability can allow silent
execution of unauthorized actions on the device such as configuration
parameter changes, and saving modified configuration.

+++++

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists