Executive Summary

Summary
Title DTE Energy Insight app vulnerable to information exposure
Informations
Name VU#713312 First vendor Publication 2016-03-11
Vendor VU-CERT Last vendor Modification 2016-03-14
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Cvss Base Score 4 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#713312

DTE Energy Insight app vulnerable to information exposure

Original Release date: 11 Mar 2016 | Last revised: 14 Mar 2016

Overview

The DTE Energy Insight app API allows an authenticated user to obtain and query certain limited customer information from other customers.

Description

CWE-200: Information Exposure - CVE-2016-1562

The DTE Energy Insight app lets DTE Energy customers track their energy usage. This information is exposed via an HTTP REST API.

The API contains a parameter 'filter' that may be manipulated by an authenticated user. This parameter determines the customer data to be returned by the server. By manipulating the 'filter' parameter, an authorized user may be able to obtain and query limited customer information for other users.

The researcher has released a blog post with more details.

Impact

A remote, authenticated user may be able to obtain limited information about other customers.

Solution

DTE Energy has updated its Insight server backend to mitigate this issue. The researcher has confirmed that the APIs no longer allow access to other data.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
DTE EnergyAffected03 Feb 201601 Mar 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base4.0AV:N/AC:L/Au:S/C:P/I:N/A:N
Temporal3.1E:POC/RL:OF/RC:C
Environmental2.3CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://jeffq.com/blog/dteenergy-insight/
  • https://play.google.com/store/apps/details?id=com.dteenergy.insight&hl=en

Credit

Thanks to Jeffrey Quesnelle for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2016-1562
  • Date Public:10 Mar 2016
  • Date First Published:11 Mar 2016
  • Date Last Updated:14 Mar 2016
  • Document Revision:39

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/713312

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2016-03-19 09:29:08
  • Multiple Updates
2016-03-14 17:22:49
  • Multiple Updates
2016-03-14 05:29:09
  • Multiple Updates
2016-03-14 05:24:27
  • Multiple Updates
2016-03-12 09:27:54
  • Multiple Updates
2016-03-11 21:30:49
  • Multiple Updates
2016-03-11 21:25:32
  • First insertion