Less than one-third of 600 internet-facing SolarView systems found on Shodan are patched from a critical command injection vulnerability, according to new research from VulnCheck.
In a blog post July 5, the VulnCheck researchers said when they followed up recent Unit 42 research on the latest Mirai botnet campaign they found that one of the vulnerabilities — CVE-2022-29303 — was a critical (9.8 CVSS) vulnerability affecting the Contec SolarView Series. The SolarView systems are used to monitor solar power and generation storage.
The VulnCheck researchers said they decided to dig deeper and try to understand the full extent of the exploitation because they had previously found that some of the SolarView devices were exploited in the wild. What they found should concern security pros managing industrial control system (ICS) networks at solar power installations.
“Generally speaking, ICS networks should not be internet accessible,” said Jacob Baines, lead researcher at VulnCheck. “An attacker who can exploit one of these devices from the internet can then pivot into the ICS network, enabling them to further attack a network that isn't intended to be remotely accessible. If the hardware is part of a solar power generation site, then the attacker may affect loss of productivity and revenue.”
Attackers can also use the SolarView system to launch a wider attack against the ICS network, potentially damaging the availability and integrity of the entire system, said Baines.
Baines also pointed out that Unit 42’s blog wasn’t the first indication that the vulnerability was exploited in the wild. The CVE-2022-29303 flaw had an Exploit-DB entry since May 2022. GreyNoise also mentioned the vulnerability in a blog in May 2023. And a YouTube video from May 2022 shows an attacker using the exploit against. SolarView system found on Shodan.
“The fact that a number of these systems are internet-facing and that the public exploits have been available long enough to get rolled into a Mirai variant is not a good situation,” said Baines. “As always, organizations should be mindful of which systems appear in their public IP space and track public exploits for systems that they rely on.”
The SolarView case shows that maintaining cyber hygiene on IoT/OT/ICS systems continues to be a struggle for most organizations, especially when it comes to keeping firmware on the latest, safest versions, said John Gallagher, vice president of Viakoo Labs. Gallagher said seeing that less than one-third of impacted systems were patched should cause organizations to reassess their methods of patching systems and ensure they have automated methods to do so.
Gallagher also pointed out that the recent Binding Operational Directive (BOD 23-02) issued by the Cybersecurity and Infrastructure Security Agency (CISA) looked to ensure that ICS systems are not internet-facing. In the case of the recent BOD, Gallagher said CISA gave notified agencies only 14 days to disconnect their devices or implement zero-trust access control.
“Perhaps a similar approach and timeframe is needed within corporate organizations,” added Gallagher.
Timothy Morris, chief security advisor at Tanium, pointed out that ICS and IoT systems don’t always get the attention they deserve when it comes to patching and vulnerability management — and attackers have taken notice for some time. Morris said in most cases, security teams should isolate ICSs and not have them face the internet.
“However, as the report shows — and Shodan searches reveal — that isn’t the case,” said Morris. “Exploitation of one CVE can lead to DoS or a foothold for lateral movement. Stacking CVEs or exploiting multiples at a time leads to greater risk. Greater risk can mean: service disruption, loss of revenue, espionage, and potential safety concerns when dealing with energy/power systems. If lateral movement to other corporate networks and systems is possible then the likelihood of a data breach is greatly increased.”