Saturday, December 2, 2023

Critical RCE Bugs Expose Hundreds of Solar Power Stations

Recently, cybersecurity researchers at VulnCheck revealed that hundreds of internet-exposed SolarView systems on Shodan have been patched against a critical command injection vulnerability.

Experts indicated that both the Mirai botnet hackers and inexperienced individuals have already begun exploiting it, with more expected to join in.

Unit 42 researchers at Palo Alto Networks found that the Mirai botnet is exploiting a command injection vulnerability (CVE-2022-29303) in Contec’s SolarView Series software to spread.

Over 30,000 solar power stations utilize SolarView, and among the critical vulnerabilities, CVE-2022-29303 stands as one of three.

Flaw Profile

  • CVE ID: CVE-2022-29303
  • Description: SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.
  • CVSS Score: 9.8
  • Severity: CRITICAL

SolarView Systems Indexed

Currently, there are over 600 systems indexed by Shodan. SolarView tracks and displays solar power generation and storage for small to medium-scale installations.

systems (Source – VulnCheck)

Given the indexed public exploits by VulnCheck Exploit Intelligence, experts delved into exploring the potential scope and impact of this exploitation in real-world scenarios.

Besides its introduction on more than 30000 power stations, Contec also highlights the deployment scenarios for:-

  • SolarView Air
  • SolarView Battery

This shows the hardware’s application in buildings and solar power plants that are commercial in nature.

While one should never come across an internet-accessible Contec SolarView due to its clear focus on ICS networks

SolarView’s impacted versions include ‘ver.6.00,’ which dates back to 2019, and since then, SolarView Compact has undergone four firmware updates:-

  • 6.20 in 2019
  • 7.00 in 2021
  • 8.00 in 2022
  • 8.10 in 2023

It implies that a limited number of exposed hosts are susceptible to the vulnerability. CVE-2022-29303 impacts the conf_mail.php endpoint of the web server, and despite version 6.20 being released after the vulnerable 6.00, it did not address the problem.

Both versions 6.00 and 6.20 were affected, with experts discovering the existence of a simple command injection in conf_mail.php since version 4.00.

Validation was implemented for the attacker-controlled $mail_address variable only in version 8.00 when conf_mail.php was included in the auth require list.

The impact extends beyond what the CVE description suggests, as less than one-third of the internet-exposed SolarView series systems have addressed CVE-2022-29303.

Vulnerable Systems (Source – VulnCheck)

The blog from Unit 42 wasn’t the initial signal of the vulnerability being exploited; since May 2022, an Exploit-DB entry for CVE-2022-29303 has existed.

Other RCEs

The SolarView systems are also impacted by a few additional unauthenticated Remote Code Executions (RCEs), and here they are mentioned below:-

Up to version 8.00, the SolarView series is vulnerable to CVE-2023-23333, and it’s a simple command injection impacting the downloader.php endpoint.

Compact versions 4.0, 5.0, and 6.0 are susceptible to CVE-2022-44354, a file upload vulnerability enabling attackers to upload a PHP web shell onto the system.

Since the SolarView series primarily serve as a monitoring system, the worst-case scenario would likely involve a loss of visibility.

The exploitation’s impact can vary significantly depending on the network integration of the SolarView hardware, potentially resulting in substantial consequences.

It is crucial for organizations to monitor their public IP space and stay updated on public exploits targeting their essential systems.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.


Latest articles

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

CISA Warns Hackers Exploiting Wastewater Systems Logic Controllers

In a disconcerting turn of events, cyber threat actors have set their sights on...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles