The VMU-C webserver suffers from cross site request forgery, cross site scripting, access control, weak credential management, and insecure storage vulnerabilities. VMU-C EM prior to firmware Version A11_U05 and VMU-C PV prior to firmware Version A17 are affected.
07e16456b846d15782e24a428bd71425*VMU-C Web-Server solution for photovoltaic applications*
VMU-C EM is a data logger system for small to medium projects, VMUC-Y EM is
a hardware data aggregator for medium to larger projects and Em2 Server is
a software solution for large projects. They are designed to complement the
extensive line of Carlo Gavazzi energy meters and current transformers.
*ICS-CERT advisory*
https://ics-cert.us-cert.gov/advisories/ICSA-17-012-03
*CVE-IDs*
CVE-2017-5144
CVE-2017-5145
CVE-2017-5146
*Vulnerable versions*
- VMU-C EM prior to firmware Version A11_U05, and
- VMU-C PV prior to firmware Version A17
*1. Weak Credentials Management*
-> admin/admin
-> Application does not enforce mandatory password change
*2. Sensitive Information stored in clear-text*
Accounts menu option
a shows username and password
a passwords shown in clear-text
a SMTP server password
a user and service passwords are stored in clear-text
*3. Access Control flaws*
1. Access control is not enforced correctly
2. Certain application functions can be accessed without any
authentication
3. Application stores the Energy / Plant data in a sqlite database -
EWPlant.db. Anyone can dump plant database file - without any authentication
*4. Reflected + Stored XSS - multiple URLs, parameters - *Not documented in
ICS-CERT Advisory
Successful exploitation of this vulnerability could allow an
unauthenticated attacker to inject arbitrary JavaScript in a specially
crafted URL request where the response containing user data is returned to
the web browser without being made safe to display.
*5. Vulnerable to Cross-Site Request Forgery*
There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability can allow silent
execution of unauthorized actions on the device such as configuration
parameter changes, and saving modified configuration.
+++++