CVE-2022-47554
📋 TL;DR
CVE-2022-47554 allows unauthenticated remote attackers to access sensitive XML files containing credentials and other critical information in ekorCCP and ekorRCI products. This affects Ormazabal electrical substation management systems. Attackers can exploit this without authentication to steal credentials and potentially compromise industrial control systems.
💻 Affected Systems
- ekorCCP
- ekorRCI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrative credentials, gain full control of electrical substation management systems, and potentially disrupt power distribution or cause physical damage.
Likely Case
Attackers steal credentials and sensitive configuration data, enabling further attacks on the industrial control network.
If Mitigated
With proper network segmentation and access controls, attackers can only access isolated systems without reaching critical infrastructure.
🎯 Exploit Status
Simple directory traversal or direct file access to XML files containing credentials and configuration data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Contact Ormazabal for specific patched versions
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products
Restart Required: Yes
Instructions:
1. Contact Ormazabal for security patches. 2. Apply patches following vendor instructions. 3. Restart affected systems. 4. Verify XML files are no longer accessible without authentication.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected systems from untrusted networks using firewalls and VLANs
Access Control Lists
allImplement strict IP-based access controls to limit who can reach the web interfaces
🧯 If You Can't Patch
- Implement network segmentation to isolate affected systems from untrusted networks
- Deploy web application firewalls to block unauthorized access to XML files
🔍 How to Verify
Check if Vulnerable:
Attempt to access XML files via web interface without authentication using tools like curl: curl -v http://target/path/to/sensitive.xmlCheck Version:
Check system documentation or contact Ormazabal for version informationVerify Fix Applied:
Verify XML files containing credentials are no longer accessible without proper authentication📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to XML files
- Multiple failed authentication attempts followed by XML file access
Network Indicators:
- Unusual HTTP GET requests for .xml files from external IPs
- Traffic patterns showing directory traversal attempts
SIEM Query:
source="web_server" AND (uri="*.xml" OR uri CONTAINS ".xml") AND status="200" AND auth="none"