VMU-C CSRF / XSS / Access Control

The VMU-C webserver suffers from cross site request forgery, cross site scripting, access control, weak credential management, and insecure storage vulnerabilities. VMU-C EM prior to firmware Version A11_U05 and VMU-C PV prior to firmware Version A17 are affected.


MD5 | 07e16456b846d15782e24a428bd71425

*VMU-C Web-Server solution for photovoltaic applications*

VMU-C EM is a data logger system for small to medium projects, VMUC-Y EM is
a hardware data aggregator for medium to larger projects and Em2 Server is
a software solution for large projects. They are designed to complement the
extensive line of Carlo Gavazzi energy meters and current transformers.

*ICS-CERT advisory*
https://ics-cert.us-cert.gov/advisories/ICSA-17-012-03

*CVE-IDs*
CVE-2017-5144
CVE-2017-5145
CVE-2017-5146

*Vulnerable versions*

- VMU-C EM prior to firmware Version A11_U05, and
- VMU-C PV prior to firmware Version A17


*1. Weak Credentials Management*
-> admin/admin
-> Application does not enforce mandatory password change

*2. Sensitive Information stored in clear-text*
Accounts menu option
a shows username and password
a passwords shown in clear-text
a SMTP server password
a user and service passwords are stored in clear-text

*3. Access Control flaws*

1. Access control is not enforced correctly
2. Certain application functions can be accessed without any
authentication
3. Application stores the Energy / Plant data in a sqlite database -
EWPlant.db. Anyone can dump plant database file - without any authentication

*4. Reflected + Stored XSS - multiple URLs, parameters - *Not documented in
ICS-CERT Advisory

Successful exploitation of this vulnerability could allow an
unauthenticated attacker to inject arbitrary JavaScript in a specially
crafted URL request where the response containing user data is returned to
the web browser without being made safe to display.

*5. Vulnerable to Cross-Site Request Forgery*

There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability can allow silent
execution of unauthorized actions on the device such as configuration
parameter changes, and saving modified configuration.

+++++



Related Posts