[ICS] Meteocontrol WEB’log Multiple Vulnerabilities

[Karn Ganeshen <karnganeshen () gmail com>]

[ICS] Meteocontrol WEB’log Multiple Vulnerabilities

*About MeteoControl WEB’log*

Meteocontrol is a Germany-based company that maintains offices in several
countries around the world, including the US, China, Italy, Spain, France,
Switzerland, and Israel.

The affected products, WEB’log, are web-based SCADA systems that provide
functions to manage energy and power configurations in different connected
(energy/industrial) devices.

According to Meteocontrol, WEB’log is deployed across several sectors
including Commercial Facilities, Critical Manufacturing, Energy, and Water
and Wastewater Systems. Meteocontrol estimates that these products are used
primarily in Europe with a small percentage in the United States.

*Product details here:*
http://www.meteocontrol.com/en/industrial-line/data-logger-weblogs/weblog/

*Multiple versions of this application are offered:*
WEB'log Basic 100
WEB'log Light
WEB'log Pro
WEB'log Pro Unlimited

All Meteocontrol’s WEB’log versions / flavors have the same underlying
design and are vulnerable.

This product is deployed primarily in Power & Energy domain, and is used
worldwide. It is rebranded in different countries, a few that I came across
are as follows:

   - WEB’log Pro (branded by Siemens) - US
   - Powador-proLOG (branded by KACO new energy) - Germany
   - Aurora Easy Control / Aurora Easy Control Basic (both branded by power
   one) - Italy
   - Data Control Pro (branded by Mastervolt) - France


+++++
*Weak Credential Management*

Default Login password is ist02
-> gives easy administrative access to anyone

Issue:
Mandatory password change is not enforced by the application.

*Access Control Flaws*
CVE-2016-2296

All pages, functions, and data, can still be accessed without
administrative log in. This can be achieved by directly accessing the URLs.

This includes access to configuration pages, ability to change plant data,
configured modbus/inverter devices, configuration parameters, and even
rebooting the device.

For example:
Making the following direct request, dumps the source code of page that
contains administrator password-
http://IP/html/en/confAccessProt.html

Modbus related configuration can be dumped by calling the following url:
http://IP/html/en/confUnvModbus.html

Access modbus devices
http://IP/html/en/ajax/viewunvmodbus.xml

Similarly, certain POST requests can be used to Modify Plant Configuration
Data, without any authentication.

Issue:
Access control is not enforced correctly.

*Sensitive information exposure*
CVE-2016-2298

As noted above, Administrator password is stored in clear-text. So anyone
can make a request to this page and get the clear-text Administrative
password for the application, and gain privileged access.

Issue:
Password is stored in clear-text.

*Hidden/Obscured CMD shell*
CVE-2016-2297

Another interesting feature is presence of a CMD shell. Meteocontrol
WEB'log management application offers a CMD shell which allows running a
restricted set of commands that gives host, application and stats data.

And as like other functions, it can be accessed directly without any
authentication -
http://IP/html/en/xprtCmd.html

Assuming no one will be able to figure out a technique to exploit this
feature, is not a great idea.

*No CSRF protection - Vulnerable to CSRF attacks*
There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability can allow silent
execution of unauthorized actions on the device such as modifying plant
data, modifying modbus/inverter/any other PLC devices, changing
Administrator password, changing configuration parameters, saving modified
configuration, & device reboot.

+++++

ICS-CERT published Meteocontrol advisory at:
https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01

Note that it is not complete and accurate. I have already sent my comments
to ICS-CERT team to correct their report. Hopefully they will update it
soon.

+++++

Cheers!
-- 
Best Regards,
Karn Ganeshen

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/