Tollgrade SmartGrid Sensor Management System Software Vulnerabilities

Plan Patch8.8ICS-CERT ICSA-16-040-01Nov 12, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

LightHouse SMS Software contains multiple web interface vulnerabilities: cross-site request forgery (CWE-352) allows attackers to perform unauthorized actions in a user's session; cross-site scripting (CWE-79) enables injection of malicious scripts; insecure credential storage (CWE-522) exposes authentication tokens; and sensitive data exposure (CWE-200) leaks grid information. An authenticated user tricked into visiting attacker-controlled content could unknowingly modify sensor configurations, steal credentials, or expose sensitive grid data. The vulnerabilities affect versions 4.1.0_Build_16 and all versions below 5.1, with no vendor patches available.

What this means

What could happen

An attacker with network access could steal sensitive data about the power grid or modify sensor readings and configurations through cross-site request forgery and credential theft, potentially disrupting energy operations or causing equipment damage.

Who's at risk

Energy sector utilities using Tollgrade LightHouse SMS for sensor management and grid monitoring should care. The software is used to collect and manage readings from distributed sensors across the power network, including data aggregation and device configuration. Affecting versions 4.1.0_Build_16 and all versions before 5.1.

How it could be exploited

An attacker crafts a malicious web link or email that tricks a user into visiting a fake page or performing an action while logged into LightHouse SMS. The malicious request runs in the victim's browser session, stealing stored credentials (CWE-522) or exfiltrating grid sensor data (CWE-200). Alternatively, the attacker injects malicious scripts (CWE-79) into the web interface to capture user input or modify device configurations without authorization.

Prerequisites

- Network access to the LightHouse SMS web interface - User with valid SMS console credentials must be tricked into visiting attacker-controlled content - The SMS system must not have anti-CSRF protections in place - Sensitive data or configuration changes visible in the user's browser session

- Remotely exploitable - No authentication required for CSRF attacks - High CVSS score (8.8) - No patch available for affected versions - User interaction required but realistic (phishing/social engineering) - Affects critical energy infrastructure

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

LightHouse SMS Software: 4.1.0_Build_164.1.0 Build 165.1

LightHouse SMS Software: <5.1<5.15.1

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGImplement a network firewall rule to restrict access to the LightHouse SMS console to authorized engineering workstations and networks only

WORKAROUNDDisable or remove the LightHouse SMS web interface if not actively used; manage the system only from a protected engineering network

WORKAROUNDRequire users to re-authenticate before any sensitive configuration changes in the LightHouse SMS console

Long-term hardening

0/3

HARDENINGApply security awareness training to operators and engineers on phishing and social engineering tactics that could trick them into visiting malicious sites

HARDENINGSegment the SMS management network from the operational network and external internet

HARDENINGMonitor and log all configuration changes in the LightHouse SMS system to detect unauthorized modifications

CVEs (4)

CVE-2016-0863 CVE-2016-0864 CVE-2016-0865 CVE-2016-0866

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6eb35e77-9812-48f2-a7de-95dfdd299967