← Advisories

KevinLAB BEMS 1.0 Unauthenticated SQL Injection / Authentication Bypass

Critical
Advisory ID
ZSL-2021-5655
Release Date
20 July 2021
Vendor
KevinLAB Inc. - http://www.kevinlab.com
Affected Version
4ST L-BEMS 1.0.0 (Building Energy Management System)
CVE
CVE-2021-37291
Tested On
Linux CentOS 7, Apache 2.4.6, Python 2.7.5, PHP 5.4.16, MariaDB 5.5.68
Summary

KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control.

Description

The application suffers from an unauthenticated SQL Injection vulnerability. Input passed through 'input_id' POST parameter in '/http/index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism.

Proof of Concept
kevinlab_bems_sqli.txtTXT
Disclosure Timeline
05.07.2021Vulnerability discovered.
08.07.2021Vendor contacted.
12.07.2021No response from the vendor.
13.07.2021Vendor contacted.
19.07.2021No response from the vendor.
20.07.2021Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/163572/
[2]https://www.exploit-db.com/exploits/50146
[3]https://cxsecurity.com/issue/WLB-2021070122
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/205980
[5]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37291
Changelog
20.07.2021Initial release
21.07.2021Added reference [1], [2] and [3]
22.07.2021Added reference [4]
11.04.2022Added reference [5]