lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 06 Apr 2017 19:43:53 +0000 From: Karn Ganeshen <karnganeshen@...il.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Carlo Gavazzi VMUC-EM - Multiple Vulnerabilities *VMU-C Web-Server solution for photovoltaic applications* VMU-C EM is a data logger system for small to medium projects, VMUC-Y EM is a hardware data aggregator for medium to larger projects and Em2 Server is a software solution for large projects. They are designed to complement the extensive line of Carlo Gavazzi energy meters and current transformers. *ICS-CERT advisory* https://ics-cert.us-cert.gov/advisories/ICSA-17-012-03 *CVE-IDs* CVE-2017-5144 CVE-2017-5145 CVE-2017-5146 *Vulnerable versions* - VMU-C EM prior to firmware Version A11_U05, and - VMU-C PV prior to firmware Version A17 *1. Weak Credentials Management* -> admin/admin -> Application does not enforce mandatory password change *2. Sensitive Information stored in clear-text* Accounts menu option ⇒ shows username and password ⇒ passwords shown in clear-text ⇒ SMTP server password ⇒ user and service passwords are stored in clear-text *3. Access Control flaws* 1. Access control is not enforced correctly 2. Certain application functions can be accessed without any authentication 3. Application stores the Energy / Plant data in a sqlite database - EWPlant.db. Anyone can dump plant database file - without any authentication *4. Reflected + Stored XSS - multiple URLs, parameters - *Not documented in ICS-CERT Advisory Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript in a specially crafted URL request where the response containing user data is returned to the web browser without being made safe to display. *5. Vulnerable to Cross-Site Request Forgery* There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. +++++ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists