CVE-2012-5864

The management web pages on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 do not require authentication, which allows remote attackers to obtain administrative access via a direct request, as demonstrated by a request to ping.php.

CVSS v2.0 10.0 HIGH

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://archives.neohapsis.com/archives/bugtraq/2012-09/0045.html	Exploit
http://www.exploit-db.com/exploits/21273/	Exploit
http://www.sinapsitech.it/default.asp?active_page_id=78&news_id=88
http://www.us-cert.gov/control_systems/pdf/ICSA-12-325-01.pdf	US Government Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/80203

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:sinapsitech:sinapsi_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:sinapsitech:esolar_duo_photovoltaic_system_monitor:-:::::::*
	cpe:2.3:h:sinapsitech:esolar_light_photovoltaic_system_monitor:-:::::::*
	cpe:2.3:h:sinapsitech:esolar_photovoltaic_system_monitor:-:::::::*

History

No history.

Information

Published : 2012-11-23 12:09

Updated : 2024-02-28 12:00

NVD link : CVE-2012-5864

Mitre link : CVE-2012-5864

CVE.ORG link : CVE-2012-5864

JSON object : View

Products Affected

sinapsitech

esolar_duo_photovoltaic_system_monitor
esolar_photovoltaic_system_monitor
esolar_light_photovoltaic_system_monitor
sinapsi_firmware

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2012-5864", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2012-11-23T12:09:58.540", "references": [{"url": "http://archives.neohapsis.com/archives/bugtraq/2012-09/0045.html", "tags": ["Exploit"], "source": "ics-cert@hq.dhs.gov"}, {"url": "http://www.exploit-db.com/exploits/21273/", "tags": ["Exploit"], "source": "ics-cert@hq.dhs.gov"}, {"url": "http://www.sinapsitech.it/default.asp?active_page_id=78&news_id=88", "source": "ics-cert@hq.dhs.gov"}, {"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-12-325-01.pdf", "tags": ["US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80203", "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The management web pages on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 do not require authentication, which allows remote attackers to obtain administrative access via a direct request, as demonstrated by a request to ping.php."}, {"lang": "es", "value": "Las p\u00e1ginas web de administraci\u00f3n en el Sinapsi eSolar Light Photovoltaic System Monitor (tambi\u00e9n conocido como servidor de gesti\u00f3n Schneider Electric Ezylog photovoltaic SCADA), Sinapsi eSolar, y Sinapsi eSolar DUO con firmware anterior a v2.0.2870_2.2.12 no requiere autenticaci\u00f3n, lo que permite a atacantes obtener acceso administrativo mediante una petici\u00f3n directa, como se demostr\u00f3 por una petici\u00f3n a ping.php"}], "lastModified": "2017-08-29T01:32:49.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:sinapsitech:sinapsi_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "382C527D-16D4-4557-8E68-C4430416DB57", "versionEndIncluding": "2.0.2870"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:sinapsitech:esolar_duo_photovoltaic_system_monitor:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF238DD2-D119-4652-B63B-9321DFB01A90"}, {"criteria": "cpe:2.3:h:sinapsitech:esolar_light_photovoltaic_system_monitor:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C00B699F-DE3B-4371-B814-DE54038C60A0"}, {"criteria": "cpe:2.3:h:sinapsitech:esolar_photovoltaic_system_monitor:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "288B1E9C-52C3-4ACC-807D-F650B850D874"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}