9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
44.2%
Title: KevinLAB BEMS 1.0 Undocumented Backdoor Account
Advisory ID: ZSL-2021-5654
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 20.07.2021
KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB’s BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control.
The BEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.
KevinLAB Inc. - <http://www.kevinlab.com>
4ST L-BEMS 1.0.0 (Building Energy Management System)
Linux CentOS 7
Apache 2.4.6
Python 2.7.5
PHP 5.4.16
MariaDB 5.5.68
[05.07.2021] Vulnerability discovered.
[08.07.2021] Vendor contacted.
[12.07.2021] No response from the vendor.
[13.07.2021] Vendor contacted.
[19.07.2021] No response from the vendor.
[20.07.2021] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://packetstormsecurity.com/files/163571/>
[2] <https://www.exploit-db.com/exploits/50145>
[3] <https://cxsecurity.com/issue/WLB-2021070124>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/205982>
[5] <https://vulners.com/cve/CVE-2021-37292>
[20.07.2021] - Initial release
[21.07.2021] - Added reference [1], [2] and [3]
[22.07.2021] - Added reference [4]
[11.04.2022] - Added reference [5]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>KevinLAB BEMS 1.0 Undocumented Backdoor Account
Vendor: KevinLAB Inc.
Product web page: http://www.kevinlab.com
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)
Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
management platform. KevinLAB's BEMS (Building Energy Management System) enables
efficient energy management in buildings. It improves the efficient of energy use
by collecting and analyzing various information of energy usage and facilities in
the building. It also manages energy usage, facility efficiency and indoor environment
control.
Desc: The BEMS solution has an undocumented backdoor account and these sets of
credentials are never exposed to the end-user and cannot be changed through any
normal operation of the solution thru the RMI. Attacker could exploit this
vulnerability by logging in using the backdoor account with highest privileges
for administration and gain full system control. The backdoor user cannot be
seen in the users settings in the admin panel and it also uses an undocumented
privilege level (admin_pk=1) which allows full availability of the features that
the BEMS is offering remotely.
Tested on: Linux CentOS 7
Apache 2.4.6
Python 2.7.5
PHP 5.4.16
MariaDB 5.5.68
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5654
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
05.07.2021
--
Backdoor accounts from the DB:
------------------------------
Username: kevinlab (permission=1)
Password: kevin003
Username: developer1 (permission=6)
Password: 1234
</p></body></html>
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
44.2%