**ATTENTION:**Remotely exploitable/low skill level to exploit
**Vendor:**BINOM3
Equipment: Electric Power Quality Meter
Vulnerabilities: Cross-site scripting, access control issues, cross-site request forgery (CSRF), sensitive information stored in clear-text, and weak credentials management.
The following BINOM3 power meters are affected:
Successful exploitation of these vulnerabilities could cause the device to inaccurately report a range of electrical quality measurements.
BINOM3 has not created mitigations for these vulnerabilities.
NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICSβCERT Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
No known public exploits specifically target these vulnerabilities.
Input sent from a malicious client is not properly verified by the server. An attacker can execute arbitrary script code in another userβs browser session.
CVE-2017-5164 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H).
Lack of authentication for remote service gives access to application set up and configuration.
CVE-2017-5162 has been assigned to this vulnerability. A CVSS v3 base score of 10 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
There is no CSRF Token generated per page and/or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.
CVE-2017-5165 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H).
This flaw can be used to gain privileged access to the device.
CVE-2017-5166 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Users do not have any option to change their own passwords.
CVE-2017-5167 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).
Karn Ganeshen reported these vulnerabilities.
Critical Infrastructure Sector(s): Energy
Countries Deployed: Russia
Company Headquarters Location: St Petersburg, Russia
ics-cert.us-cert.gov
ics-cert.us-cert.gov
twitter.com/icscert
twitter.com/icscert
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5162
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5164
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5165
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5166
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5167
www.addthis.com/bookmark.php?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-031-01
www.dhs.gov
www.dhs.gov/report-cyber-risks
www.us-cert.gov/accessibility/
www.us-cert.gov/pdf/
www.us-cert.gov/privacy/
www.us-cert.gov/tlp/
www.us-cert.gov/tlp/
cwe.mitre.org/data/definitions/200.html
cwe.mitre.org/data/definitions/259.html
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/352.html
cwe.mitre.org/data/definitions/79.html
ics-cert.us-cert.gov/
ics-cert.us-cert.gov/content/recommended-practices
ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B
twitter.com/share?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-031-01
www.facebook.com/sharer.php?u=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-031-01
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H
www.us-cert.gov/cas/tips/ST04-014.html
www.us-cert.gov/forms/feedback?helpful=no&document=ICSA-17-031-01 BINOM3 Electric Power Quality Meter&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-031-01&site_name=ICS-CERT
www.us-cert.gov/forms/feedback?helpful=somewhat&document=ICSA-17-031-01 BINOM3 Electric Power Quality Meter&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-031-01&site_name=ICS-CERT
www.us-cert.gov/forms/feedback?helpful=yes&document=ICSA-17-031-01 BINOM3 Electric Power Quality Meter&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-031-01&site_name=ICS-CERT
www.us-cert.gov/reading_room/emailscams_0905.pdf