Serious vulnerabilities in Carlo Gavazzi VMU-C EM & VMU-C PV systems

Carlo Gavazzi released new firmware updates that would fix serious vulnerabilities that could result in cyberattacks.

At least, three security holes with critical and high severity were discovered in both, the VMU-C EM system for Energy Management and VMU-C PV for the Photovoltaic Monitoring systems running firmware versions prior to A11_U05 and A17.

According to an advisory published last week by ICS-CERT, the product has a flaw that allows access to most of the application’s functions without authentication (CVE-2017-5144), and a cross-site request forgery (CSRF) weakness that can be exploited to change configuration parameters (CVE-2017-5145).

Therefore, we do advise all our clients to take the following necessary actions recommended by Carlo Gavazzi.

MITIGATION

Carlo Gavazzi recommends upgrading to the following firmware versions:

·      VMU-C EM A11_U05 for VMUC EM, and

·      VMU-C PV A17 for VMUC PV.

The relevant firmware versions are available either by means of the firmware update function embedded in the VMU-C or by downloading them from ENERGI5's website.

RECOMMENDATIONS

·      Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.

·      Locate control system networks and remote devices behind firewalls, and isolate them from the business network.

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.