Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2021-5654
HistoryJul 20, 2021 - 12:00 a.m.

KevinLAB BEMS 1.0 Undocumented Backdoor Account

2021-07-2000:00:00
Gjoko Krstic
zeroscience.mk
463

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

44.2%

JSON

Title: KevinLAB BEMS 1.0 Undocumented Backdoor Account
Advisory ID: ZSL-2021-5654
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 20.07.2021

Summary

KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB’s BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control.

Description

The BEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.

Vendor

KevinLAB Inc. - <http://www.kevinlab.com>

Affected Version

4ST L-BEMS 1.0.0 (Building Energy Management System)

Tested On

Linux CentOS 7
Apache 2.4.6
Python 2.7.5
PHP 5.4.16
MariaDB 5.5.68

Vendor Status

[05.07.2021] Vulnerability discovered.
[08.07.2021] Vendor contacted.
[12.07.2021] No response from the vendor.
[13.07.2021] Vendor contacted.
[19.07.2021] No response from the vendor.
[20.07.2021] Public security advisory released.

PoC

kevinlab_bems_backdoor.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://packetstormsecurity.com/files/163571/&gt;
[2] <https://www.exploit-db.com/exploits/50145&gt;
[3] <https://cxsecurity.com/issue/WLB-2021070124&gt;
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/205982&gt;
[5] <https://vulners.com/cve/CVE-2021-37292&gt;

Changelog

[20.07.2021] - Initial release
[21.07.2021] - Added reference [1], [2] and [3]
[22.07.2021] - Added reference [4]
[11.04.2022] - Added reference [5]

Contact

Zero Science Lab

Web: <https://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>KevinLAB BEMS 1.0 Undocumented Backdoor Account


Vendor: KevinLAB Inc.
Product web page: http://www.kevinlab.com
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)

Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
management platform. KevinLAB's BEMS (Building Energy Management System) enables
efficient energy management in buildings. It improves the efficient of energy use
by collecting and analyzing various information of energy usage and facilities in
the building. It also manages energy usage, facility efficiency and indoor environment
control.

Desc: The BEMS solution has an undocumented backdoor account and these sets of
credentials are never exposed to the end-user and cannot be changed through any
normal operation of the solution thru the RMI. Attacker could exploit this
vulnerability by logging in using the backdoor account with highest privileges
for administration and gain full system control. The backdoor user cannot be
seen in the users settings in the admin panel and it also uses an undocumented
privilege level (admin_pk=1) which allows full availability of the features that
the BEMS is offering remotely.

Tested on: Linux CentOS 7
           Apache 2.4.6
           Python 2.7.5
           PHP 5.4.16
           MariaDB 5.5.68


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5654
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php


05.07.2021

--


Backdoor accounts from the DB:
------------------------------

Username: kevinlab (permission=1)
Password: kevin003

Username: developer1 (permission=6)
Password: 1234
</p></body></html>

Related

cvelist 1
cve 1
prion 1
nvd 1
cnvd 1
cvelist
cvelist
CVE-2021-37292
2022-04-11 18:13:14
cve
cve
CVE-2021-37292
2022-04-11 19:15:07
prion
prion
Improper access control
2022-04-11 19:15:00
nvd
nvd
CVE-2021-37292
2022-04-11 19:15:07
cnvd
cnvd
KevinLAB Building Energy Management System Access Control Error Vulnerability
2022-04-13 00:00:00

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

44.2%

JSON
Related for ZSL-2021-5654
cvelist1cve1prion1nvd1cnvd1