Rewterz Threat Advisory – CVE-2019-13529 – SMA Solar Technology AG Sunny WebBox Cross-site Request Forgery Vulnerability
October 9, 2019Rewterz Threat Advisory – CVE-2019-13921 – Siemens SIMATIC WinAC RTX (F) 2010 Denial of Service Vulnerability
October 9, 2019Rewterz Threat Advisory – CVE-2019-13529 – SMA Solar Technology AG Sunny WebBox Cross-site Request Forgery Vulnerability
October 9, 2019Rewterz Threat Advisory – CVE-2019-13921 – Siemens SIMATIC WinAC RTX (F) 2010 Denial of Service Vulnerability
October 9, 2019Severity
Medium
Analysis Summary
CVE-2019-13554
The affected product has an unsecured Telnet protocol that may allow a user to create an authenticated session using generic default credentials.
CVE-2019-13918
The affected product is shipped with pre-configured hard-coded credentials that may allow root-user access to the controller. A limited application of the affected product may ship without setup and configuration instructions immediately available to the end user. The bulk of controllers go into applications requiring the GE commissioning engineer to change default configurations during the installation process.
Impact
- Improper Authorization
- Use of Hard-coded Credentials
Affected Vendors
GE
Affected Products
Mark VIe Controller
Remediation
GE recommends users apply the following mitigations:
- Disable the Telnet service (Telnet was enabled by default on Mark VIe controllers with versions of Control*ST earlier than v6.0).
- Reset controller passwords upon transfer of Mark VIe to the operating environment.