May 14, 2016 Karn Ganeshen

[ICS] Meteocontrol WEB’log Multiple Vulnerabilities

[ICS] Meteocontrol WEB’log Multiple Vulnerabilities

About MeteoControl WEB’log
Meteocontrol is a Germany-based company that maintains offices in several countries around the world, including the US, China, Italy, Spain, France, Switzerland, and Israel.

The affected products, WEB’log, are web-based SCADA systems that provide functions to manage energy and power configurations in different connected (energy/industrial) devices.

According to Meteocontrol, WEB’log is deployed across several sectors including Commercial Facilities, Critical Manufacturing, Energy, and Water and Wastewater Systems. Meteocontrol estimates that these products are used primarily in Europe with a small percentage in the United States.

Product details here:
http://www.meteocontrol.com/en/industrial-line/data-logger-weblogs/weblog/

Multiple versions of this application are offered:

 

All Meteocontrol’s WEB’log versions / flavors have the same underlying design and are vulnerable.

This product is deployed primarily in Power & Energy domain, and is used worldwide. It is rebranded in different countries, a few that I came across are as follows:

+++++

Vulnerability Details

Weak Credential Management
Default Login password is ist02
-> gives easy administrative access to anyone

Issue:
Mandatory password change is not enforced by the application.
As a mitigation, vendor’s team has now added an additional message pop up if the password is default.
> The problem is that they still have not enforced a mandatory password change. Relying on end user to change the default password is not a good security practice. Instead, the application must have a mechanism to ensure that user changes any default login password(s) to strong values.

Access Control Flaws
CVE-2016-2296

Though there is a Login page to enter administrator password and access Monitoring and Measurement functions, the application does not enforce any access control.

All pages, functions, and data, can still be accessed without administrative log in. This can be achieved by directly accessing the URLs.

This includes access to configuration pages, ability to change plant data, configured modbus/inverter devices, configuration parameters, and even rebooting the device.

For example:

Making the following direct request, dumps the source code of page that contains administrator password –

Modbus related configuration can be dumped by calling the following url:

Access modbus devices

Access Inverters details/status

Similarly, POST requests can be used to Modify Plant Configuration Data.

PoC [ I have removed actual data from the attack request]

 

Issue:
Access control is not enforced correctly.

As a fix, vendor team reported:
Login is now protected via Basic access authentication (BA). So direct access is not possible any more.

Sensitive information exposure
CVE-2016-2298

As noted above, Administrator password is stored in clear-text. So anyone can make a request to this page and get the clear-text Administrative password for the application, and gain privileged access.

Issue:
Password is stored in clear-text.

As a fix, vendor has confirmed: password will not be stored/presented in clear-text anywhere.

Hidden/Obscured CMD shell
CVE-2016-2297

Another interesting feature is presence of a CMD shell. Meteocontrol WEB’log management application offers a CMD shell which allows running a restricted set of commands that gives host, application and stats data.

And as like other functions, it can be accessed directly without any authentication –

According to vendor team, (quoted):
Even in case of users passed the basic authentification correctly, the user is not able to use the pseudo-shell for any critical system commands. The command set is limited to debug features only.

> I am not sure why such a shell is even necessary in the first place. There are certainly other, better secure ways to gather debug data and / or troubleshoot device issues.

Assuming no one will be able to figure out a technique to exploit this feature, is not a great idea.

No CSRF protection – Vulnerable to CSRF attacks
CVE-2016-4504

There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as modifying plant data, modifying modbus/inverter/any other PLC devices, changing Administrator password, changing configuration parameters, saving modified configuration, & device reboot.

I reported this later to ICS-CERT, so don’t know if it has been communicated to vendor team or not.

Update: ICS-CERT has updated its original advisory.

+++++

ICS-CERT published Meteocontrol advisory at:
https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01

Note that it is not complete and accurate. I have already sent my comments to ICS-CERT team to correct their report. Hopefully they will update it soon.

+++++

So how bad is Meteocontrol WEB’log current state of security?
There is no security. It is a free play, as you would have noticed.

And the risk is HIGH. Due to access control issues, above described vulnerabilities can be remotely exploited easily, at a mass scale, in an automated manner.

At this point, it is easy to write a script that will POST (write) arbitrary configuration parameters to WEB’log applications, and reboot the devices, at a mass scale.

As a proof of concept code, I have written a module that can extract Administrator password off of WEB’log management portals. I will be posting the module shortly.

Anyone using Meteocontrol WEB’log in their network environment, need to update/upgrade the application version with latest patch/firmware/software versions, AND, restrict management portals from being accessible over the Internet – right now.

+++++
Cheers!

Tagged: , , , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *