Following the news that a power monitor by Rockwell Automation, that is used by energy companies worldwide, is vulnerable to public exploits, Andrea Carcano, Co-founder and CPO at Nozomi Networks commented below.
Andrea Carcano, Co-founder and CPO at Nozomi Networks:
“Both the reported vulnerabilities are related to the web interface exposed by the device for configuration purposes; they require a very low skill level to be exploited.
In the first case, CVE-2019-19615, the issue is Cross-Site Scripting (XSS) and it is quite common in web applications; An XSS vulnerability occurs when a web page displays user input (usually JavaScript) that isn’t properly validated. An attacker can take advantage of the wrong input validation causing a web page to execute malicious code on any user’s computer that views the page.
The second reported issue, CVE-2019-19616, is caused by a wrong user segregation management. Instead of implementing a strong user validation server-side, the PLC greyed some buttons inside the HTML page sent to the user’s browser. In this way, an attacker can modify the HTML code inside his browser to enable the button bypassing the authentication.
When it comes to remediation of CVE-2019-19615, a temporary fix could involve disabling JavaScript in the browser’s configuration in order to not execute malicious code; on the other hand, this could impact the PLC’s web interface usability, particularly if it requires JavaScript in order to work properly.
In terms of remediating the second vulnerability (CVE-2019-19616), the permanent fix is to apply the vendor’s patch because it requires a server-side bugfix.
Our security research team is developing a signature (packet rule) in order to rapidly detect the XSS vulnerability CVE-2019-19615; it will be available soon to our OT ThreatFeed customers.”
