Get in Touch
Industrial solar panels threatened by three critical RCE bugs
Target Industry
Solar energy industry.
Overview
A trio of major remote code execution (RCE) vulnerabilities are affecting hundreds of solar power monitoring systems. They are tracked as follows:
- CVE-2022-29303: Command injection vulnerability in SolarView Compact
- CVE-2023-23333: Command injection vulnerability in SolarView Compact
- CVE-2022-44354: A designed php file might cause Unrestricted File Upload on SolarView Compact 4.0 and 5.0.
All three vulnerabilities were assigned “critical” 9.8 (out of 10) CVSSv3 scores.
Impact
Remote hacking of SolarView is only possible for instances that are exposed to the internet. As of this month, 615 incidents tied to the open Web were found via a simple Shodan search by VulnCheck. The worst-case situation is likely to be losing visibility into the monitored equipment and experiencing a malfunction. However, it is also theoretically conceivable that the attacker will be able to use the compromised monitoring system as leverage to inflict further harm or penetrate further into the environment.
When an attacker can run arbitrary commands on a target system, a command injection vulnerability is created. This vulnerability develops because of incorrect command execution context processing of user-supplied input. A successful command injection attack can have dire repercussions, from unauthorised access to confidential information to system penetration. The threat actor can use a variety of attacks, some of which are listed below:
- Command injection enables an attacker to run arbitrary commands on a target system remotely. As a result, the attacker may be able to execute malicious code remotely with the same rights as the affected application or service.
- Control over the underlying operating system: Command injection can provide an attacker that kind of power. They can run system-level commands to change configurations, escalate access, edit files, or start new attacks. Unrestricted access gives the attacker the opportunity to compromise the system’s confidentiality, availability, and integrity.
- Command injection can make data exfiltration of illegal information easier. Attackers can use command execution to gain access to confidential data kept on the system or take advantage of command injection flaws in web apps to retrieve information from backend databases.
Vulnerability Detection
A security patch for this vulnerability has been released by SolarView. Previous product versions therefore remain vulnerable to potential exploitation.
Affected Products
SolarView Compact versions 4.0, 5.0 and 6.0.
Containment, Mitigations & Remediations
All three CVEs were patched in SolarView version 8.00. As such, it is strongly recommended that the patch is applied as soon as possible.
Threat Landscape
SolarView occupies a significant portion of the power plant monitoring solution market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, such systems have emerged as a prime target.
Such vulnerabilities are particularly attractive to nation-state sponsored threat actors that specifically target critical national infrastructure (CNI) systems. Threat actor groups funded by the ‘Big Four’ nations (Russia, China, North Korea, and Iran) operate according to the directives of their respective government objectives by exfiltrating data from CNI and relaying this information to the state. It is highly likely that cyber-attacks conducted within this sector by Advanced Persistent Threat (APT) groups involve the objective of stealing proprietary information, disrupting operations, or potentially sabotaging critical infrastructure.
Mitre Methodologies
T1202 – Indirect Command Execution
T1608.001 – Stage Capabilities: Upload Malware
T1608 – Stage Capabilities
Further Information
NIST Picks IoT Standard for Small Electronics Cybersecurity
Critical RCE Bugs Expose Hundreds of Solar Power Stations
Unpatched Critical RCE Bug Allows Industrial, Utility Takeovers
