3 Critical RCE Bugs Threaten Industrial Solar Panels, Endangering Grid Systems

  /     /     /  
Publicated : 23/11/2024   Category : security


3 Critical RCE Bugs Threaten Industrial Solar Panels, Endangering Grid Systems


Exposed and unpatched solar power monitoring systems have been exploited by both amateurs and professionals, including Mirai botnet hackers.



Hundreds of solar power monitoring systems are vulnerable to a trio of critical remote code execution (RCE) vulnerabilities. The hackers behind the 
Mirai botnet
 and even amateurs have already started taking advantage, and others will follow, experts are predicting.
Palo Alto Networks Unit 42 researchers previously discovered
 that the Mirai botnet is spreading through 
CVE-2022-29303
, a command injection flaw in SolarView Series software developed by the manufacturer Contec. According to Contecs website, SolarView has been used in more than 30,000 solar power stations.
On Wednesday, vulnerability intelligence firm VulnCheck pointed out 
in a blog post
 that CVE-2022-29303 is one of 
three
 critical vulnerabilities in SolarView, and its more than just the Mirai hackers targeting them.
The most likely worst-case scenario is losing visibility into the equipment thats being monitored and having something break down, explains Mike Parkin, senior technical engineer at Vulcan Cyber. Its also theoretically possible, though, that the attacker is able to leverage control of the compromised monitoring system to do greater damage or get deeper into the environment.
CVE-2022-29303 is borne from a particular endpoint in the SolarView Web server, confi_mail.php, which fails to sufficiently sanitize user input data, enabling the remote malfeasance. In the month it was released, the bug received some attention from 
security bloggers

researchers
, and one YouTuber who showed off the exploit in 
a still publicly accessible video demonstration
. But it was hardly the only problem inside SolarView.
For one thing, theres 
CVE-2023-23333
, an entirely similar command injection vulnerability. This one affects a different endpoint, downloader.php, and was first revealed in February. And theres 
CVE-2022-44354
, published near the end of last year. CVE-2022-44354 is an unrestricted file upload vulnerability affecting yet a third endpoint, enabling attackers to upload PHP Web shells to targeted systems.
VulnCheck noted that these two endpoints, like confi_mail.php, appear to generate hits from malicious hosts on GreyNoise meaning that they too are likely under some level of active exploitation.
All three vulnerabilities were assigned critical 9.8 (out of 10) CVSS scores.
Only Internet-exposed instances of SolarView are at risk of remote compromise. A quick Shodan search by VulnCheck revealed 615 cases connected to the open Web as of this month.
This, says Parkin, is where the unnecessary headache starts. Most of these things are designed to be operated 
within 
an environment and shouldnt need access from the open Internet under most use cases, he says. Even where remote connectivity is absolutely necessary, there are workarounds that can 
protect IoT systems
 from the scary parts of the wider Internet, he adds. You can put them all on their own virtual local area networks (VLANs) in their own IP address spaces, and restrict access to them to a few specific gateways or applications, etc.
Operators might risk remaining online if, at least, their systems are patched. Remarkably, however, 425 of those Internet-facing SolarView systems — more than two thirds of the total — were running versions of the software lacking the necessary patch.
At least when it comes to critical systems, this may be understandable. IoT and operational technology devices are often a lot more challenging to update compared to your typical PC or mobile device. It sometimes has management making the choice to accept the risk, rather than take their systems off-line long enough to install security patches, Parkin says.
All three CVEs were patched in SolarView version 8.00.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
3 Critical RCE Bugs Threaten Industrial Solar Panels, Endangering Grid Systems