3 Critical RCE Bugs Pose Major Threat to Industrial Solar Panels and Grid Systems

Critical Vulnerabilities in SolarView Solar Power Monitoring Systems

The Threat

Experts are warning that hundreds of solar power monitoring systems are vulnerable to a set of critical remote code execution (RCE) vulnerabilities. Hackers, including those behind the infamous Mirai botnet, have already begun exploiting these vulnerabilities, and it is expected that others will follow suit.

The vulnerabilities specifically target the SolarView Series software developed by Contec, a manufacturer of solar power equipment. SolarView is widely used, with over 30,000 solar power stations relying on it for monitoring purposes. The vulnerabilities, known as CVE-2022-29303, CVE-2023-23333, and CVE-2022-44354, have all been classified as critical with a CVSS score of 9.8 out of 10.

The Vulnerabilities

CVE-2022-29303 is a command injection flaw that arises from a specific endpoint in the SolarView Web server, confi_mail.php. The vulnerability occurs because user input data is not properly sanitized, allowing remote attackers to execute arbitrary code. This vulnerability gained some attention when it was first discovered, with security bloggers, researchers, and even a YouTuber demonstrating the exploit in a publicly accessible video.

CVE-2023-23333 is another command injection vulnerability that affects a different endpoint, downloader.php. This vulnerability was first revealed in February. Finally, CVE-2022-44354 is an unrestricted file upload vulnerability that impacts a third endpoint, enabling attackers to upload PHP Web shells to targeted systems. These two vulnerabilities also show signs of being actively exploited, as demonstrated by hits from malicious hosts on GreyNoise.

The Potential Impact

The immediate consequence of these vulnerabilities is the potential loss of visibility into the equipment being monitored, which could lead to breakdowns. However, the implications go beyond that. If an attacker gains control of the compromised monitoring system, they could potentially cause greater damage or penetrate further into the environment.

The Scope of the Problem

It is worth noting that only Internet-exposed instances of SolarView are at risk of remote compromise. However, a quick search by vulnerability intelligence firm VulnCheck found 615 cases connected to the open web as of this month. This demonstrates that there is a significant number of systems that are vulnerable and accessible to potential attackers.

Mike Parkin, a senior technical engineer at Vulcan Cyber, explains that many of these systems are designed to operate within closed environments and should not require open internet access in most use cases. Implementing proper security measures, such as placing them on separate virtual local area networks (VLANs) with restricted access, can help protect IoT systems from the wider internet.

Unfortunately, a concerning majority of the Internet-facing SolarView systems lacked the necessary security patch. Out of the 615 systems found, 425 were running versions of the software without the required patch. Updating IoT and operational technology devices, like solar power monitoring systems, can be challenging. Often, system owners are faced with the choice of accepting the risk or taking their systems offline for a significant amount of time to install security patches.

The Path Forward

The first step in addressing these vulnerabilities is for system owners to ensure that they have the latest version of SolarView (version 8.00) installed, as this version includes patches for all three critical vulnerabilities.

Additionally, it is crucial for system owners to take a proactive approach to cybersecurity and implement best practices. This includes regularly updating devices and software with the latest security patches, segregating IoT systems from the wider internet through the use of VLANs, and implementing access controls to restrict unauthorized access to critical systems.

Furthermore, manufacturers like Contec should prioritize security in their software development processes and ensure that vulnerabilities are quickly identified and patched. Regular security audits and penetration testing can help identify any weaknesses in the system and prevent future attacks.

Overall, the vulnerabilities in SolarView highlight the importance of comprehensive cybersecurity measures in industrial systems. As the world continues to rely on renewable energy sources like solar power, it is essential to address cybersecurity risks to protect critical infrastructure and prevent potential disruptions.