security advisory

SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilties

SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities

ICS-CERT Advisory
Waiting

Note: Vendor has released the fix. Details to be documented in ICS-CERT Advisory.

About
SenNet is a trademark of Satel Spain that offers monitoring and remote-control solutions for businesses. Our engineers develop, integrate and test the products of SenNet in our facilities in Madrid (Spain).
http://www.sennetmonitoring.com/wp-content/uploads/2016/05/Datasheet_owa31I-.pdf

Vulnerable products

Deployment Geography
Americas and Europe regions

Target Audience / Industry
Energy, Power, Service Providers, Telecom

Note: all appliances seem to be running on the same code base, and therefore, all SenNet models, and software versions stand vulnerable.

Appliances Confirmed affected:

SenNet Optimal is a monitoring solution to meter consumption (electricity, gas, water) and other variables (temperature, humidity, presence, lighting …); both for industries and for businesses in the tertiary sector.

http://www.sennetmonitoring.com/en/sennet-optimal-2/

SenNet Solar is a solution for monitoring. It is suitable for any kind of power generation plants. In this type of facilities, it is essential to monitor and remotely control the devices involved in the process: inverters, meters, trackers, etc.

http://www.sennetmonitoring.com/en/sennet-solar/

SenNet Meter is an ideal device for electricity submetering.
http://www.sennetmonitoring.com/en/electricity-meters/

VULNERABILITY DETAILS

1. No access control on the remote shell
The appliance runs ARM as underlying OS. Telnet access is enabled on TCP port 5000. There is no authentication required for accessing and connecting the remote shell. Any user can connect to the shell and issue commands.

2. Shell services running with excessive privileges (superuser)
The service runs with superuser root privileges, thus giving privileged access to any user, without any authentication (exploited via OS Command Injection described nexe).

3. OS Command Injection
The remote shell (attempts to) offer a restricted environment, and does not allow executing system commands. However, it is possible to break out of this jailed shell by chaining specific shell meta-characters and OS commands.

The service / application is run as ‘root‘ and OS command injection results in full system access.

Apart from energy logging data, the device stores sensitive information such FTP, SMTP and other service login credentials, used by the application for functions, as well as to connect with other external, public facing servers.

PoC:

4. Insecure Transport – all communications are clear-text, and prone to sniffing.

+++++

I will be releasing a Metasploit module shortly.

Leave a Reply

Your email address will not be published. Required fields are marked *