Eaton, a power management solutions provider had some severe vulnerabilities in its Intelligent power management (IPM) solution, which potentially allowed threat actors to penetrate and disrupt the power supply. Eaton has released patches to fix it.
Eaton’s IPM Vulnerabilities
Eaton’s IPM solution ensures system uptime and data integrity by rendering remote access to organizations. Using this solution one can remotely monitor, manage, and control the uninterruptible power supply (UPS) devices on the network.
However, as per the security advisories published this month by Eaton and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the IPM product was plagued with six high-severity vulnerabilities. While some of the vulnerabilities can only be exploited by an authenticated attacker, others can be exploited without authentication, including for arbitrary code execution.
Related News:
Did a Cyberattack Cause Power Outage in India’s Financial Capital?
Vulnerability Details
CVE-2021-23276
CVSS v3 Base Score – 7.1
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Eaton Intelligent Power Manager (IPM) prior to version 1.69 is vulnerable to authenticated SQL injection. A malicious user could send a specifically crafted packet to exploit this vulnerability. Successful exploitation could allow attackers to add users to the database.
CVE-2021-23277
CVSS v3 Base Score – 8.3
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
Eaton Intelligent Power Manager (IPM) prior to version 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in ‘loadUserFile’ function under scripts/libs/utils.js. Successful exploitation could allow attackers to control the input to the function and execute attacker-controlled commands.
CVE-2021-23278
CVSS v3 Base Score – 8.7
CWE-20: Improper Input Validation
Eaton Intelligent Power Manager (IPM) prior to version 1.69 is vulnerable to authenticated arbitrary file delete vulnerability. This vulnerability incurs due to improper input validation at server/maps_srv.js with action ‘removeBackground’ and server/node_upgrade_srv.js with action ‘removeFirmware.’ An attacker could send specifically crafted packets to delete the files on the system where IPM software is installed.
CVE-2021-23279
CVSS v3 Base Score – 8.0
CWE-20: Improper Input Validation
Eaton Intelligent Power Manager (IPM) prior to version 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability. This is induced due to improper input validation in meta_driver_srv.js class with ‘saveDriverData’ action using invalidated ‘driverID’. An attacker could send specifically crafted packets to delete the files on the system where IPM software is installed.
CVE-2021-23280
CVSS v3 Base Score – 8.0
CWE-434: Unrestricted Upload of File with Dangerous Type
Eaton Intelligent Power Manager (IPM) prior to version 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM’s maps_srv.js allowed an attacker to upload a malicious NodeJS file using ‘uploadBackgroud’ action. An attacker could upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability.
CVE-2021-23281
CVSS v3 Base Score – 8.3
CWE-94: Improper Control of Generation of Code (‘Code Injection’)
Eaton Intelligent Power Manager (IPM) prior to version 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via ‘coverterCheckList’ action in meta_driver_srv.js class. Attackers could send a specifically crafted packet to make IPM connect to rouge SNMP server and execute attacker-controlled code.
Eaton’s Affected Products
As per Eaton’s advisory, the following three products and their subsequent versions were affected due to these vulnerabilities:
- Eaton Intelligent Power Manager (IPM) – all versions prior to 1.69
- Eaton Intelligent Power Manager Virtual Appliance (IPM VA) – all versions prior to 1.69
- Eaton Intelligent Power Protector (IPP) – all versions prior to 1.68
Amir Preminger, VP of research at industrial cybersecurity firm Claroty, who has been credited by Eaton for reporting the six vulnerabilities, told SecurityWeek that the issues were identified on a web server interface of the IPM software that enables users to configure the product. This web server is typically accessible from the local network and is not hosted on public-facing servers.
The goal of the Eaton IPM software is to enable users to manage their UPS system. By exploiting a server using this software, an attacker can disrupt the UPS operations and therefore disrupt the power supply to equipment that relies on the UPS as its power source. The bottom line is that this product should be patched since a few of the CVEs are pre-auth and could be exploited by adversaries without prior knowledge about the server setup.
– Preminger explained
In addition to applying the patches, Eaton has recommended its users to block ports 4679 and 4680 to prevent exploitation. For additional info on general best security practices recommended by Eaton, click here.
Related News:
RedEcho Attacked 10 Indian Power Sector Companies and 2 Seaports: Recorded Future
 had some severe vulnerabilities, which potentially allowed threat actors to disrupt power supply. Eaton has released patches to fix it.){kind=link}