Saturday, May 14, 2016

[ICS] Meteocontrol WEB’log Multiple Vulnerabilities

[ICS] Meteocontrol WEB’log Multiple Vulnerabilities

About MeteoControl WEB’log

Meteocontrol is a Germany-based company that maintains offices in several countries around the world, including the US, China, Italy, Spain, France, Switzerland, and Israel.


The affected products, WEB’log, are web-based SCADA systems that provide functions to manage energy and power configurations in different connected (energy/industrial) devices. 

According to Meteocontrol, WEB’log is deployed across several sectors including Commercial Facilities, Critical Manufacturing, Energy, and Water and Wastewater Systems. Meteocontrol estimates that these products are used primarily in Europe with a small percentage in the United States.


Product details here:

Multiple versions of this application are offered:
WEB'log Basic 100
WEB'log Light
WEB'log Pro
WEB'log Pro Unlimited
All Meteocontrol’s WEB’log versions / flavors have the same underlying design and are vulnerable.

This product is deployed primarily in Power & Energy domain, and is used worldwide. It is rebranded in different countries, a few that I came across are as follows:

WEB’log Pro (branded by Siemens) - US
Powador-proLOG (branded by KACO new energy) - Germany
Aurora Easy Control / Aurora Easy Control Basic (both branded by power one) - Italy
Data Control Pro (branded by Mastervolt) - France

+++++
Weak Credential Management

Default Login password is ist02
-> gives easy administrative access to anyone

Issue:
Mandatory password change is not enforced by the application.

As a mitigation, vendor's team has now added an additional message pop up if the password is default.

> The problem is that they still have not enforced a mandatory password change. Relying on end user to change the default password is not a good security practice. Instead, the application must have a mechanism to ensure that user changes any default login password(s) to strong values.

Access Control Flaws
CVE-2016-2296

Though there is a Login page to enter administrator password and access Monitoring and Measurement functions, the application does not enforce any access control.

All pages, functions, and data, can still be accessed without administrative log in. This can be achieved by directly accessing the URLs.

This includes access to configuration pages, ability to change plant data, configured modbus/inverter devices, configuration parameters, and even rebooting the device.

For example:
Making the following direct request, dumps the source code of page that contains administrator password-
http://IP/html/en/confAccessProt.html

Modbus related configuration can be dumped by calling the following url:
http://IP/html/en/confUnvModbus.html

Access modbus devices
http://IP/html/en/ajax/viewunvmodbus.xml

Access Inverters details/status
http://IP/html/en/viewStatusWrSiemens.html

Similarly, POST requests can be used to Modify Plant Configuration Data.

PoC [ I have removed actual data from the attack request]

POST /ist.cgi HTTP/1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://IP/html/en/confAnlage.html
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: X
anlageFaxTime=5&ucDigitalOutReset=0&anlagebez1=&anlagebetreiber=&anlageleistung=&anlageflaeche=&anlageetaModul=&anlageetaWR=&anlageAnzTeil=&anlageintervall=&anlageOrient=&anlageNeigung=&anlageModultyp=&anlageWrtyp=&anlageEmailAdr=4&anlageEmailAdrCC1=&anlageEmailAdrCC2=&anlageSendDayDataActive=&dialprefix=&dialmethod=&dialringtmo=&anlageCountryPrefix=&sys_locale=en&rufannahme=&dialringmax=&anlageFaxContact=&iHour=&iMinute=

Issue:
Access control is not enforced correctly.

As a fix, vendor team reported:
Login is now protected via Basic access authentication (BA).
So direct access is not possible any more.

I think this should resolve access control issues.

Sensitive information exposure
CVE-2016-2298

As noted above, Administrator password is stored in clear-text. So anyone can make a request to this page and get the clear-text Administrative password for the application, and gain privileged access.

Issue:
Password is stored in clear-text.

As a fix, vendor has confirmed: password will not be stored/presented in clear-text anywhere.


Hidden/Obscured CMD shell
CVE-2016-2297

Another interesting feature is presence of a CMD shell. Meteocontrol WEB'log management application offers a CMD shell which allows running a restricted set of commands that gives host, application and stats data.

And as like other functions, it can be accessed directly without any authentication -
http://IP/html/en/xprtCmd.html

According to vendor team, (quoted):
Even in case of users passed the basic authentification correctly, the user is not able to use the pseudo-shell for any critical system commands. The command set is limited to debug features only.

> I am not sure why such a shell is even necessary in the first place. There are certainly other, better secure ways to gather debug data and / or troubleshoot device issues. 

Assuming no one will be able to figure out a technique to exploit this feature, is not a great idea.

No CSRF protection - Vulnerable to CSRF attacks
CVE-2016-4504
There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as modifying plant data, modifying modbus/inverter/any other PLC devices, changing Administrator password, changing configuration parameters, saving modified configuration, & device reboot.

I reported this later to ICS-CERT, so don't know if it has been communicated to vendor team or not.

Update: ICS-CERT has updated its original advisory.

+++++
ICS-CERT published Meteocontrol advisory at:

Note that it is not complete and accurate. I have already sent my comments to ICS-CERT team to correct their report. Hopefully they will update it soon.
+++++

So how bad is Meteocontrol WEB'log current state of security?

There is no security. It is a free play, as you would have noticed.

And the risk is HIGH. Due to access control issues, above described vulnerabilities can be remotely exploited easily, at a mass scale, in an automated manner.

At this point, it is easy to write a script that will POST (write) arbitrary configuration parameters to WEB'log applications, and reboot the devices, at a mass scale.

As a proof of concept code, I have written a module that can extract Administrator password off of WEB'log management portals. I will be posting the module shortly.

Anyone using Meteocontrol WEB'log in their network environment, need to update/upgrade the application version with latest patch/firmware/software versions, AND, restrict management portals from being accessible over the Internet - right now.

+++++
Cheers!

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.