Hundreds of solar power monitoring systems are at risk due to three critical vulnerabilities, and experts warn that hackers are already taking advantage of them. The Mirai botnet, as well as other cybercriminals, have started exploiting these vulnerabilities, with more expected to follow suit.
The Mirai botnet was found to be spreading through CVE-2022-29303, a command injection flaw in the SolarView Series software developed by Contec. This software is used in over 30,000 solar power stations, making it a prime target for hackers. Additionally, Palo Alto Networks’ Unit 42 researchers discovered this vulnerability, raising concerns about the potential consequences of exploitation.
Vulnerability intelligence firm VulnCheck pointed out in a recent blog post that CVE-2022-29303 is just one of three critical vulnerabilities in SolarView. This indicates that multiple weaknesses in the system could be exploited by hackers. The worst-case scenario here is that the attackers gain control over the compromised monitoring system, leading to further damage or unauthorized access to the environment.
One of the vulnerabilities, CVE-2022-29303, is specifically rooted in a particular endpoint of the SolarView Web server called confi_mail.php. This endpoint fails to properly sanitize user input data, allowing remote attackers to execute code on the system. While this vulnerability gained some attention when it was released, it is not the only problem within SolarView.
Another vulnerability, CVE-2023-23333, affects a different endpoint called downloader.php. Similar to CVE-2022-29303, this vulnerability enables command injection and was made public in February. Additionally, CVE-2022-44354, which was published towards the end of last year, is an unrestricted file upload vulnerability affecting yet another endpoint. This vulnerability allows attackers to upload PHP Web shells to targeted systems. All three vulnerabilities have been assigned critical CVSS scores of 9.8 out of 10.
VulnCheck also noted that these two additional endpoints, like confi_mail.php, appear to be actively exploited by malicious hosts on GreyNoise. This further confirms that these vulnerabilities are being targeted by hackers.
As of this month, there are 615 Internet-exposed instances of SolarView that are at risk of remote compromise. However, cybersecurity experts stress that these systems should not have access from the open Internet in most cases. A better practice is to operate them within controlled environments and limit their exposure to potentially malicious networks. This can be achieved by placing them on their own virtual local area networks (VLANs) and restricting access to a few specific gateways or applications.
Unfortunately, many of these Internet-facing SolarView systems remain unpatched. Out of the 615 instances, 425 were running versions of the software that lacked the necessary patch. This is a common issue with IoT and operational technology devices, as they are often more challenging to update compared to traditional computers or mobile devices. In some cases, decision-makers may choose to accept the risk rather than taking the systems offline to install security patches.
The good news is that all three vulnerabilities have been patched in SolarView version 8.00. However, it is crucial for system operators to apply these patches promptly to ensure the security and integrity of their solar power monitoring systems. Failure to do so could result in potential damage and unauthorized access to the environment.
Overall, the vulnerabilities in SolarView present a significant cyber threat to the solar power industry. It is imperative for manufacturers, system operators, and cybersecurity professionals to address these vulnerabilities promptly and establish robust security measures to mitigate the risks associated with these critical weaknesses.