OVERVIEW
This advisory provides mitigation details for multiple vulnerabilities that impact the Carlo
Gavazzi EOS-Box Photovoltaic Monitoring System.
Carlo Gavazzi has identified two vulnerabilities in the Carlo Gavazzi EOS-Box Photovoltaic
Monitoring System. Carlo Gavazzi has produced a firmware update that fully resolves these
vulnerabilities. Successful exploitation of the vulnerabilities would allow an attacker to gain
unauthorized access, access private information, and execute remote code. This device is used in
the energy sector.
These vulnerabilities could be exploitable remotely. Exploits that target these vulnerabilities are
publicly available.
AFFECTED PRODUCTS
The following Carlo Gavazzi device with firmware version prior to 1.0.0.1080_2.1.10 is
affected:
• EOS-Box
IMPACT
Attackers could use the vulnerabilities to exploit the device by gaining unauthorized access in the
system, leaking stored information, and remotely executing code on the device. This could allow
a loss of availability, integrity, and confidentiality of the affected system. Carlo Gavazzi products
are widely used in industrial automation and energy systems. The energy sector is affected.
Impact to individual organizations depends on many factors that are unique to each organization.
ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on
their operational environment, architecture, and product implementation.ICS-CERT Advisory ICSA-12-354-02 Page 2 of 4
BACKGROUND
Carlo Gavazzi Automation is a Italian-based company that maintains offices in several countries
around the world, including the United States.
The affected product, EOS-Box, is an embedded PC that supervises photovoltaic plants,
operating as an integrated control system. According to Carlo Gavazzi, the EOS-Box is deployed
across the renewable energy sector. Carlo Gavazzi estimates that these products are used
primarily in the United States, Canada, Europe, and Asia.
VULNERABILITY CHARACTERIZATION
VULNERABILITY OVERVIEW
HARD-CODED CREDENTIALS
a
The Carlo Gavazzi device stores hard-coded passwords in the PHP file of the device. By using
the hard-coded passwords, attackers can log into the device with administrative privileges. This
could allow the attacker to have unauthorized access.
CVE-2012-6428
b
has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been
assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C).
c
SQL INJECTION
d
The Carlo Gavazzi device does not check the validity of the data before executing queries. By
accessing the SQL table of certain pages that do not require authentication, attackers can leak
information from the device. This could allow the attacker to compromise confidentiality.
CVE-2012-6427
e
has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been
assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:N/A:N).
f
a. CWE, http://cwe.mitre.org/data/definitions/259.html, CWE-259: Use of Hard-Coded Password, Web site last
accessed December 18, 2012.
b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6428 , NIST uses this advisory to create the
CVE Web site report. This Web site will be active sometime after publication of this advisory.
c. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C), Web site
last visited December 18, 2012.
d. CWE, http://cwe.mitre.org/data/definitions/89.html, CWE-89: SQL Injection, Web site last accessed December
18, 2012.
e. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6427, NIST uses this advisory to create the
CVE Web site report. This Web site will be active sometime after publication of this advisory.ICS-CERT Advisory ICSA-12-354-02 Page 3 of 4
VULNERABILITY DETAILS
EXPLOITABILITY
These vulnerabilities could be exploitable remotely.
EXISTENCE OF EXPLOIT
Exploits that target these vulnerabilities are publicly available.
DIFFICULTY
An attacker with a low skill would be able to exploit these vulnerabilities.
MITIGATION
Carlo Gavazzi has developed a new firmware Version 1.0.0.1080_2.1.10 that mitigates these
vulnerabilities. Carlo Gavazzi released the new firmware Tuesday, December 18, 2012, directly
to the devices. Users will be able to manually download the firmware on their device by using
the Firmware Update function in the System Menu in the device’s Web interface.
ICS-CERT encourages asset owners to take additional defensive measures to protect against this
and other cybersecurity risks.
• Minimize network exposure for all control system devices. Critical devices should not
directly face the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from
the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks
(VPNs), recognizing that VPN is only as secure as the connected devices.
ICS-CERT also provides a section for control systems security recommended practices on the
ICS-CERT Web page. Several recommended practices are available for reading and download,
including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies.
g
ICS-CERT reminds organizations to perform proper impact analysis and risk
assessment prior to taking defensive measures.
f. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:N/A:N), Web site
last visited December 18, 2012.
g. CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html,
Web site last accessed December 18, 2011.ICS-CERT Advisory ICSA-12-354-02 Page 4 of 4
Additional mitigation guidance and recommended practices are publicly available in the
ICS-CERT Technical Information Paper, ICS-TIP-12-146-01A—Targeted Cyber Intrusion
Detection and Mitigation Strategies,
h
www.ics-cert.org
that is available for download from the ICS-CERT Web
page ( ).
Organizations observing any suspected malicious activity should follow their established internal
procedures and report their findings to ICS-CERT for tracking and correlation against other
incidents.
ICS-CERT CONTACT
For any questions related to this report, please contact ICS-CERT at:
Email: ics-cert@hq.dhs.gov
Toll Free: 1-877-776-7585
For industrial control systems security information and incident reporting: www.ics-cert.org
ICS-CERT continuously strives to improve its products and services. You can help by answering
a short series of questions about this product at the following URL: https://forms.uscert.gov/ncsd-feedback/.
DOCUMENT FAQ
What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide awareness or
solicit feedback from critical infrastructure owners and operators concerning ongoing cyber
events or activity with the potential to impact critical infrastructure computing networks.
When is vulnerability attribution provided to researchers? Attribution for vulnerability
discovery is always provided to the vulnerability reporter unless the reporter notifies ICS-CERT
that they wish to remain anonymous. ICS-CERT encourages researchers to coordinate
vulnerability details before public release. The public release of vulnerability details prior to the
development of proper mitigations may put industrial control systems and the public at avoidable
risk.
h. Targeted Cyber Intrusion Detection and Mitigation Strategies, http://www.us-cert.gov/control_systems/pdf/ICSTIP-12-146-01A.pdf, Web site last accessed Dec 18, 2012
Source link: http://www.us-cert.gov/control_systems/pdf/ICSA-12-354-02.pdf