SenNet Data Logger Appliances and Electricity Meters Multiple Vulnerabilities

CVSS Base Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Detection Method:
Try to connect to TCP port 5000 and execute the `id` command.

Technical Details:
Vulnerability Details 1. No access control on the remote shell The appliance runs ARM as underlying OS. Telnet access is enabled on TCP port 5000. There is no authentication required for accessing and connecting the remote shell. Any user can connect to the shell and issue commands. 2. Shell services running with excessive privileges (superuser) The service runs with superuser root privileges, thus giving privileged access to any user, without any authentication (exploited via OS Command Injection described nexe). 3. OS Command Injection The remote shell (attempts to) offer a restricted environment, and does not allow executing system commands. However, it is possible to break out of this jailed shell by chaining specific shell meta-characters and OS commands. The service / application is run as 'root' and OS command injection results in full system access.

Recommendations:
Vendor has released a fix.

Summary:
The remote SenNet Appliances is affected by multiple vulnerabilities.

Affected Versions:
SenNet Optimal DataLogger appliance SenNet Solar DataLogger appliance SenNet Multitask Meter

Solution Type:
Vendor Patch

Detection Type:
exploit

References:

http://seclists.org/fulldisclosure/2017/Apr/36