around the world has exposed a serious vulnerability, which remote attackers are actively using to disrupt operations or stay in the system. The device that
exposed the vulnerability was the SolarView solar power generation monitoring system produced by Contec in Osaka , Japan. Helps personnel in the solar PV plant to monitor generation, storage, and distribution. About 30,000 power stations around the world have introduced these devices, and SolarView devices are available in different packages depending on the size of the operation and the type of equipment used, Contec said.
Solar View exposed two vulnerabilities (CVE-2022-29303 and CVE-2023-293333) with a severity score of 9.8 . Of these, CVE-2022-29303 is an unauthenticated remote command injection vulnerability affecting the Contec SolarView family. The vulnerability is due to a failure to sanitize malicious content contained in user input, which could allow an attacker to execute malicious commands to launch remote attacks.
CVE-2022-29303 conf _ mail. PHP endpoints that affect Web servers, However, version 6.20 ( the version after 6.00 that exposed the vulnerability) did not fix the problem. Not only is version 6.00 affected, but 6.20 is also affected. Researchers have found a very direct command injection vulnerability that has existed since at least the conf _ mail. PHP of version 4.00. Researchers at
security company VulnCheck searched Shodan and found that more than 600 photovoltaic power plants are currently accessible through the open Internet (above). Researchers point out that more than two-thirds of photovoltaic power plants using Contec equipment have not yet installed the patch update for vulnerability CVE-2022-29303. Palo Alto Networks, a
security company, revealed last month that the vulnerability was being actively exploited by operators of Mirai, an open-source botnet of routers and other Internet of Things devices. Vulnerabilities in Contec equipment could result in the loss of operational visibility to PV plant facilities that use them, which could lead to serious consequences depending on where the vulnerable equipment is deployed. "The fact that many similar systems for PV plants are Internet-facing and that the exploit has been public long enough to be included in the Mirai variant is not good news,"
said VulnCheck researcher Jacob Baines. Photovoltaic power generation enterprises should pay attention to which systems appear in the public IP space and closely track the public vulnerabilities of these systems.
Baines said that many Solar View similar devices are also vulnerable to vulnerability CVE-2022-29303, a newer command injection vulnerability with a severity score of 9.8. Since February this year, the exploit code of the vulnerability has been released publicly.
Baines pointed out that due to the incorrect description of CVE of vulnerability CVE-2022-29303 and CVE-2023-293333, many photovoltaic power generation enterprises failed to repair the vulnerability. The descriptions of these two vulnerabilities claim that both SolarView 8.00 and 8.10 have fixed the vulnerabilities, but in fact only 8.10 has patched the two vulnerabilities.
Palo Alto Networks said the exploitation of the vulnerability CVE-2022-29303 was only part of a larger attack campaign. The campaign exploited 22 vulnerabilities in a range of IoT devices in an attempt to spread the Marai variant. The attacks began in March, when attackers tried to use the vulnerabilities to install shell interfaces to remotely control devices. Once exploited, the device downloads and executes bot clients written for various Linux architectures.
There are indications that the vulnerability CVE-2022-29303 may have been targeted even earlier, with exploit code appearing since May 2022. At that time, a hacker posted a video of using Shodan to search and attack the SolarView system on YouTube (below).
For the second vulnerability, CVE-2023-23333, although there is no indication that attackers are actively exploiting it, multiple exploit codes for the vulnerability have been posted on GitHub.
As of press time, there are no security advisories on Contec's official website regarding these two vulnerabilities, and any enterprise using affected devices should update (to Solar View version 8.10) as soon as possible. PV plants should also check whether vulnerable devices are exposed to the Internet, and if so, change their configuration to ensure that they can only be accessed from the intranet.
浙公网安备33010802003254号