Actively Exploited Vulnerability Threatens Hundreds of Solar Power Stations

An anonymous reader quotes a report from Ars Technica: Hundreds of Internet-exposed devices inside solar farms remain unpatched against a critical and actively exploited vulnerability that makes it easy for remote attackers to disrupt operations or gain a foothold inside the facilities. The devices, sold by Osaka, Japan-based Contec under the brand name SolarView, help people inside solar facilities monitor the amount of power they generate, store, and distribute. Contec says that roughly 30,000 power stations have introduced the devices, which come in various packages based on the size of the operation and the type of equipment it uses.

Searches on Shodan indicate that more than 600 of them are reachable on the open Internet. As problematic as that configuration is, researchers from security firm VulnCheck said Wednesday, more than two-thirds of them have yet to install an update that patches CVE-2022-29303, the tracking designation for a vulnerability with a severity rating of 9.8 out of 10. The flaw stems from the failure to neutralize potentially malicious elements included in user-supplied input, leading to remote attacks that execute malicious commands. Security firm Palo Alto Networks said last month the flaw was under active exploit by an operator of Mirai, an open source botnet consisting of routers and other so-called Internet of Things devices. The compromise of these devices could cause facilities that use them to lose visibility into their operations, which could result in serious consequences depending on where the vulnerable devices are used.

"The fact that a number of these systems are Internet facing and that the public exploits have been available long enough to get rolled into a Mirai-variant is not a good situation," VulnCheck researcher Jacob Baines wrote. "As always, organizations should be mindful of which systems appear in their public IP space and track public exploits for systems that they rely on." Baines said that the same devices vulnerable to CVE-2022-29303 were also vulnerable to CVE-2023-23333, a newer command-injection vulnerability that also has a severity rating of 9.8. Although there are no known reports of it being actively exploited, exploit code has been publicly available since February. Incorrect descriptions for both vulnerabilities are one factor involved in the patch failures, Baines said. Both vulnerabilities indicate that SolarView versions 8.00 and 8.10 are patched against CVE-2022-29303 and CVE-2023-293333. In fact, the researcher said, only 8.10 is patched against the threats.

No responsibility, no security

[Anonymous Coward]

Without liability in the form of automatic penalties and fines,
there will be no improvement in IoT software security.

Hundreds of Internet-exposed devices

[takionya]

What kind of idiots are still doing this in mid 2023?
Yet another defect in the web interface.

Re:Hundreds of Internet-exposed devices

[Jahta]

What kind of idiots are still doing this in mid 2023? Yet another defect in the web interface.

Yeah, this is Security 101 stuff; "you can't hack something that isn't there". But too many organisations see security spend as dead money. The attitude is, why go to the expense of setting up a private network (and a secure VPN if your people need remote access) when you can just put everything on the public Internet?

Re:

[tlhIngan]

What kind of idiots are still doing this in mid 2023?
Yet another defect in the web interface.

Lots, actually. Any solar installation, including residental solar, is full of analytics. Basically every solar inverter has a Wi-Fi or Ethernet connection to connect it to the Internet for analytics and management purposes (many places do not allow "dumb" inverters to be installed and require "smart" inverters).

There are also many sites that publish the solar analytics data so users can view and compare how their s

Re:

[gweihir]

The usual idiots. Most people are incapable of learning. There is absolutely no excuse anymore for crap like that. Bus since there is no liability, the ones responsible do not get fired. And hence nothing changes.

Re:

[PPH]

What kind of idiots

The kind with CEOs that insist on whipping out their iPhones and showing their golf buddies exactly how many kilowatts their solar plant is putting out right now.

The kind of idiot that you don't argue with. You just open the port to the world, shake your head and walk away.

PredictorGPT

[Tablizer]

Republicans: "Nobody ever hacked coal"

Re: PredictorGPT

[LindleyF]

That's literally what a pickaxe is for.

Re: PredictorGPT

[Anonymouse Cowtard]

In Soviet Russia, power station threatens you!

Re:

[Tablizer]

Why does your pickaxe have IOT?

Re: PredictorGPT

[LindleyF]

It doesn't Matter.

Re:

[Tablizer]

Because it does, I hacked your hacker.

Re:

[Tablizer]

Um, this Matter? https://csa-iot.org/all-soluti... [csa-iot.org]

Re:

[Anonymous Coward]

It's been a few years but I never encountered a SCADA system that was secure enough to exist on anything but its own, air-gapped network and most of them had connections directly to the Internet because "how else will the contractors be able to troubleshoot it?"

Re:

[Tablizer]

It's a good thing righties never make strawmen.

Re: PredictorGPT

[LindleyF]

The right literally changed the definition of the word "woke" to make it nefarious.

Major Panic

[SuperKendall]

Hundreds of Internet-exposed devices inside solar farms

The big danger here is that from everything I know about hackers from the movies, this means they might be able to hack through the panels into the sun itself and then we are screwed!

solar power stations

[ralfblake]

The security of solar power stations is crucial for a resilient and sustainable energy future. This concerning news reminds us of the need for robust cybersecurity measures to safeguard critical infrastructure. Let's address these vulnerabilities swiftly and collaboratively to protect our renewable energy systems and ensure a secure energy landscape.