Contec SolarView: Critical Bug Unpatched After 14 MONTHS

Solar array, ground mounted in field, under blue sky9.8 CVSS known since May 2022—but still exploitable on 400+ net-connected OT/ICS/SCADA systems.

An “easily exploited, yet critical” vulnerability in Contec’s SolarView SCADA product line is still present on the internet in hundreds of places. It’s actively being exploited by the Mirai botnet family, but researchers fear much worse.

Although the vendor has fixed one version, others remain unpatched. In today’s SB Blogwatch, we wonder why they’re on the internet in the first place.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Some kind of fun will now commence.

PV OT: VPN PDQ

What’s the craic? Eduard Kovacs reports—“Exploited Solar Power Product Vulnerability”:

Public since May 2022
Hundreds of energy organizations could be exposed to attacks due to an actively exploited vulnerability affecting a solar power monitoring product. … Contec specializes in custom embedded computing, industrial automation, and IoT communication technology. The company’s SolarView solar power monitoring and visualization product is used at more than 30,000 power stations.

A Mirai variant has been exploiting a vulnerability in SolarView to hack devices and ensnare them into a botnet. … CVE-2022-29303 is one of nearly two dozen targeted. [However,] the security hole was only patched with the release of version 8.0 [but] versions dating back to at least 4.0 are impacted. A Shodan search shows [425] vulnerable … internet-exposed SolarView systems.

The fact that CVE-2022-29303 has been used in the wild is not surprising considering that an exploit and exploitation instructions have been public since May 2022. [And] there are other … SolarView vulnerabilities that could be exploited by malicious actors, including CVE-2023-23333 and CVE-2022-44354.

Claroty

Is this a big deal? Yes it is, says Steve Zurier—“SolarView systems still vulnerable to critical bug”:

Maintaining cyber hygiene
CVE-2022-29303 [is] a critical (9.8 CVSS) vulnerability affecting the Contec SolarView Series. … Attackers can also use the SolarView system to launch a wider attack against the ICS network, potentially damaging the availability and integrity of the entire system

[This] should concern security pros managing industrial control system (ICS) networks. … Maintaining cyber hygiene on IoT/OT/ICS systems continues to be a struggle for most organizations. [It] should cause organizations to reassess their methods of patching systems.

Horse’s mouth? Jacob Baines—“Actively Exploited Industrial Control Systems Hardware”:

CVE description is inaccurate
Contec SolarView is clearly intended for ICS networks, so you’d hope to never find one accessible over the internet. [But] Shodan currently indexes more than 600 SolarView systems [and] less than one third … are patched.

According to the CVE description, the affected versions of SolarView are “ver.6.00.” … However, further examination of SolarView’s firmware revealed that this CVE description is inaccurate: … Not only was version 6.00 affected, but 6.20 as well. In fact, we found that [the bug] has existed since at least version 4.00. It wasn’t [fixed] until version 8.00.

Wait. Pause. SCADA on the internet? jjmorris2000 worms their way into the chat:

Why wouldn’t these be behind some kind of firewall? I weep for how bad network security has gotten in the last 20 years.

When I used to do network engineering, [anyone] putting device controllers on the open internet without a firewall … they would have been tossed off the team. … The number of mission critical things that appear to just be sitting out on the internet … continues to boggle my mind. … You just need to find a single bug to get access.

Some are calling the owners “idiots.” Is that fair? Jahta agrees it is:

Yeah, this is Security 101 stuff: “You can’t hack something that isn’t there.”

Too many organisations see security spend as dead money. The attitude is, why go to the expense of setting up a private network (and a secure VPN) … when you can just put everything on the public internet?

Surely this stuff is regulated? jtkooch serves up some delicious alphabet soup:

Most solar projects fall below regulatory thresholds … in the US. While there may be some language in the interconnect agreement around security it will not be as prescriptive as it would be if the project rose to the NERC CIP “low impact” level.

DoE/CISA/CESAR/FERC are all aware of this problem and there are various efforts to address it. But it probably won’t come before someone gets hacked publicly.

What kind of organizations do this? PPH kindly suggests the kind:

The kind with CEOs that insist on whipping out their iPhones and showing their golf buddies exactly how many kilowatts their solar plant is putting out right now. The kind of idiot that you don’t argue with. You just open the port to the world, shake your head and walk away.

Meanwhile, what’s that smell? It’s What a nin-cow-poop[You’re fired—Ed.]

IT security is a cost center. Not a profit center.

And Finally:

An oldie, but a goodie

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: APPA (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 663 posts and counting.See all posts by richi