Recently, I had posted about multiple security vulnerabilities in SenNet Data Logger appliances and Electricity Meters –
ICS-CERT finally released the advisory on May 11, 2017:
COMMAND INJECTION (CWE-77)
Successful exploitation of this vulnerability could result in the attacker breaking out of the jailed shell and gaining full access to the system.
CVE-2017-6048 has been assigned to this vulnerability.
The advisory only documents OS Command Injection vulnerability, and has ignored the remaining three flaws altogether:
1. No access control on the remote shell
The appliance runs ARM as underlying OS. Telnet access is enabled on TCP port 5000. There is no authentication required for accessing and connecting the remote shell. Any user can connect to the shell and issue commands.
2. Shell services running with excessive privileges (superuser)
The service runs with superuser root privileges, thus giving privileged access to any user, without any authentication.
3. Insecure Transport – all communications are clear-text, and prone to sniffing.
With the new version released, AFAIK, SSH will be used for remote management, and will be run as a local user only, thereby mitigating all the reported issues.
It took Satel some time, but they took the report seriously and handled it quite well. Kudos.!