OSVDB ID: 86022

Title: Sinapsi eSolar Light Photovoltaic System Monitor login.php Multiple Default Hardcoded Passwords

Info

Disclosure

Sep 12, 2012

Discovery

Aug 27, 2012

Dates

Exploit

Sep 12, 2012

Solution

Unknown

Description

By default, Sinapsi eSolar Light Photovoltaic System Monitor installs with a default password. The program authenticates users who provide the password of 36e44c9b64 (and 1-2 other unspecified passwords), which is publicly known and documented, regardless of the username they provide. This allows attackers to trivially access the program or system and gain privileged access. Users are not able to change this password.

Classification

Location: Remote / Network Access
Attack Type: Authentication Management
Impact: Loss of Integrity
Solution: Solution Unknown
Exploit: Exploit Public
Disclosure: No Vendor Response
OSVDB: SCADA

Solution

OSVDB is not aware of a solution for this vulnerability.

Products

Schneider Electric

Ezylog Photovoltaic Management Server

Unspecified

References

CVE ID: 2012-5862 (see also: NVD)
Exploit Database: 21273
ISS X-Force ID: 80200
Related OSVDB ID: 86019 86020 86021
News Article: http://arstechnica.com/security/2012/10/solar-panel-control-systems-vulnerable-to-hacks/
http://betabeat.com/2012/10/researchers-discover-software-controlling-solar-power-plants-is-totally-hackable/
Vendor Specific Advisory URL: http://download.schneider-electric.com/files?L=en&p=&p_docId=&p_docId=&p_Reference=SEVD-2012-289-01A&p_EnDocType=Technical%20paper&p_File_Id=28913178&p_File_Name=SEVD-2012-289-01A-Ezylog.pdf
http://www.downloads.schneider-electric.com/sites/oreo/ww/document-detail.page?p_docId=28747522&p_Conf=i
http://www2.schneider-electric.com/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/Content/News/data/en/local/cybersecurity/general_information/2012/12/20121206_advisory_of_vulnerability_affecting_ezylog_monitoring_product_.xm
Vendor URL: http://www.schneider-electric.com/site/home/index.cfm/us/
Other Advisory URL: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-284-01.pdf
Vendor Specific News/Changelog Entry: http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/86022