Multiple vulnerabilities in Optergy Proton/Enterprise building management system

Multiple vulnerabilities have been identified in the Optergy Proton/Enterprise building management system, some of them critical. Successful exploitation of the vulnerabilities identified could allow an attacker to achieve remote code execution and gain full system access.

A total of seven security flaws were identified. The most severe of these are:

• Unrestricted Upload of File with Dangerous Type (CVE-2019-7274). A remote and unauthenticated attacker can upload files with arbitrary extensions into a directory within application’s web root and execute them with privileges of the web server. The vulnerability, which was assigned a CVSS v.3 base score of 9.9, exists due to the absence of file extension validation when uploading files.
• Hidden functionality (CVE-2019-7276), allowing unauthenticated code execution with the highest privileges. An attacker could exploit this vulnerability to navigate directly to an undocumented backdoor script and gain full system access. A CVSS v.3 base score of 10, the highest possible severity score, was calculated for this vulnerability.
• Use of dangerous undeclared class functions (CVE-2019-7278), which could be used by unauthenticated users for direct access to certain resources. This vulnerability was assigned a CVSS v.3 base score of 7.3.
• A hard-coded credentials vulnerability (CVE-2019-7279), which could be used by attackers to send unauthorized SMS messages to any phone number depending on the stored credits to the hard-coded credentials in the function. A CVSS v.3 base score of 3 has been calculated for this flaw.

The vulnerabilities identified also include information exposure (CVE-2019-7272), cross-site request forgery (CVE-2019-7273), and open redirect (CVE-2019-7275) flaws.

The above vulnerabilities affect Proton/Enterprise versions 2.3.0a and prior.

To address these issues, the vendor recommends updating Optergy server to version 2.4.5 or later.

Source: ICS-CERT