SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-763299469] BINOM3 Electric Power Quality Meter (Update A)

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-01-31OtherBINOM3Karn Ganeshen reported these vulnerabilities. N/ACVE-2017-5164 CVE-2017-5162 CVE-2017-5165 CVE-2017-5166 CVE-2017N/AN/AN/A

Source

						
							
								
#
# BINOM3 Electric Power Quality Meter (Update A)
#


### VULNERABLE VENDOR
BINOM3


### VULNERABLE PRODUCT
Electric Power Quality Meter



### RESEARCHER
Karn Ganeshen reported these vulnerabilities.



### AFFECTED PRODUCTS

The following BINOM3 power meters are affected:

Universal multifunctional electric power quality meter.



### IMPACT

--------- Begin Update A Part 1 of 1 --------
Successful exploitation of these vulnerabilities could cause unauthorized access to the device, sensitive information leakage, arbitrary script/code execution, unauthorized functional configuration and data changes, and denial-of-service attacks.
--------- End Update A Part 1 of 1 ----------



### VULNERABILITY OVERVIEW

CROSS-SITE SCRIPTING CWE-79
Input sent from a malicious client is not properly verified by the server.
An attacker can execute arbitrary script code in another user's browser session.
CVE-2017-5164 has been assigned to this vulnerability.
A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H)


IMPROPER ACCESS CONTROL CWE-284
Lack of authentication for remote service gives access to application set up and configuration.
CVE-2017-5162 has been assigned to this vulnerability.
A CVSS v3 base score of 10 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


CROSS-SITE REQUEST FORGERY CWE-352
There is no CSRF Token generated per page and/or per (sensitive) function.
Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.
CVE-2017-5165 has been assigned to this vulnerability.
A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H)


INFORMATION EXPOSURE CWE-200
This flaw can be used to gain privileged access to the device.
CVE-2017-5166 has been assigned to this vulnerability.
A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


HARD-CODED PASSWORD CWE-259
Users do not have any option to change their own passwords.
CVE-2017-5167 has been assigned to this vulnerability.
A CVSS v3 base score of 8.6 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L)





### BACKGROUND

Critical Infrastructure Sector(s): Energy
Countries Deployed: Russia
Company Headquarters Location: St Petersburg, Russia




### MITIGATION

BINOM3 has not created mitigations for these vulnerabilities.