CVE-2016-2296
published 2016-05-14CVE-2016-2296: Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to…
PriorityP276critical9.4CVSS 3.0
AVNACLPRNUINSUCHIHAL
EXPLOIT
EPSS
64.37%
99.1th percentile
Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors.
Detection & IOCsextracted from sources · hover to see the quote
- →Fingerprint Meteocontrol WEBlog devices by checking HTTP Server header for 'IS2 Web Server' or response body containing "WEB'log". ↗
- →Flag HTTP responses from /html/en/confAccessProt.html that contain the string 'szWebAdminPassword' in the body — this indicates the admin password is being returned in cleartext without authentication. ↗
- →Alert on unauthenticated access to any post-login admin configuration pages (e.g. /html/en/confAccessProt.html) from external/untrusted network segments, as all application functionality is accessible without authentication. ↗
- ·The default port is 8080 but the application may run on a different port; scanning should not be limited to port 8080 alone. ↗
- ·On some device models the 'Website password' page is renamed or absent, meaning the szWebAdminPassword field may not be present even on vulnerable devices. ↗
- ·All WEB'log product lines (Basic 100, Light, Pro, Pro Unlimited) are affected across all versions prior to the May 2016 release fix. ↗
CVSS provenance
nvdv3.09.4CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Meteocontrol WEB'log Vulnerabilities (Update A)
cisa_ics·2016-05-12
Meteocontrol WEB'log Vulnerabilities (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Meteocontrol WEB'log Vulnerabilities (Update A)
Last RevisedAugust 23, 2018
Alert CodeICSA-16-133-01A
## OVERVIEW
This updated advisory is a follow-up to the original advisory titled ICSA-16-133-01 Meteocontrol WEB'log Vulnerabilities that was published May 12, 2016, on the NCCIC/ICS‑CERT web site.
Independent researcher Karn Ganeshen has identified one authentication and two information exposure vulnerabilities in Meteocontrol’s WEB’log application. Meteocontrol has produced a new version to mitigate these vulnerabilities.
These vulnerabilities could be exploited remotely.
#
GHSA
GHSA-g7wf-vfjj-8q52: Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attack
ghsa_unreviewed·2022-05-17
CVE-2016-2296 [CRITICAL] GHSA-g7wf-vfjj-8q52: Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attack
Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors.
No detection rules found.
Exploit-DB
Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)
exploitdb·2016-05-17·CVSS 9.4
CVE-2016-2296 [CRITICAL] Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)
Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)
---
# Exploit Title: [Meteocontrol WEB'log - Extract Admin password]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [http://www.meteocontrol.com/en/]
# Versions Reported: [All Meteocontrol WEB'log versions]
# CVE-ID: [CVE-2016-2296]
# Meteocontrol WEB'log - Metasploit Auxiliary Module [modules/auxiliary/admin/scada/meteocontrol_weblog_login.rb]
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule 'Meteocontrol WEBLog Password Extractor',
'Description' => %{
This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog (all models). This vulnerability allows extracting Admini
Metasploit
Meteocontrol WEBlog Password Extractor
metasploit
Meteocontrol WEBlog Password Extractor
Meteocontrol WEBlog Password Extractor
This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog appliances (software version < May 2016 release) to extract Administrator password for the device management portal.
No writeups or analysis indexed.
2016-05-14
Published