Monday, January 18, 2021

KACO XP100U HMI Credential Leak Vulnerability

Date: 2021-01-18

Author: Kevin2600

CVE:  CVE-2021-3252

Version: XP-JAVA 2.0

Vendor:  https://kaco-newenergy.com


Attack Vector: 

The correct credentials will be returned in plain-text from the local server, during the authentication process. Regardless of whatever the passwords have been provided.   


Reproduce Steps:

1: Sniffing the authentication process of XP100U by using Wireshark or TCPDump.



2: A request “aci_request_code type=’int’>31<” is sent by XP100U Client.

3: By reversing the java application, we can found that code 31 is used for GET_PASSWORD. And the funny part is this request actually send to the local server.



4: And regardless of whatever the passwords have been provided. The correct credentials will always be returned in PLAIN-TEXT. 


Impact-Level:

From search engine Shodan. Currently, around 172 devices exposed to the public on the Internet.


Vendor Response: 

The Vendor KACO has been contacted. However no response from them :(


Reference:

https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01

1 comment:

  1. The article was up to the point and described the information very effectively. Thanks to blog author for wonderful and informative post.
    tax consultant in barking

    ReplyDelete