Researchers at cyber-physical systems security firm Claroty have uncovered multiple vulnerabilities in two widely deployed HVAC and UPS products used in data centers, demonstrating how attackers could exploit them to launch disruptive remote attacks.
The researchers targeted network cards designed to provide a network interface for uninterruptible power supply devices made by Vertiv.
“UPSs are heavily used in data centers to maintain operations in the event of a power outage; they also protect systems from power spikes and drops, and enable safe shutdowns,” Claroty noted.
The security firm’s researchers found that the Vertiv network cards, which provide a default web interface for UPS devices, are affected by two vulnerabilities: an authentication bypass flaw and a remote code execution vulnerability.
Chaining the two security holes can allow an attacker to remotely access the targeted UPS and execute arbitrary code, potentially causing significant operational disruptions.
“What makes [the vulnerabilities] especially concerning is the context: in large data centers, virtually all computing equipment relies on UPS devices to stay online during power issues,” Claroty explained. “Any weakness in those UPS communication modules can directly affect the machines they protect.”
Separately, Claroty researchers analyzed the Trane Tracer SC+ HVAC controller, which is widely used in data centers and other critical environments worldwide.
They discovered several flaws, including authentication bypass, remote code execution, DoS, and sensitive information disclosure issues.
“The vulnerabilities are highly exploitable and, if weaponized, could allow unauthenticated remote code execution (RCE) and extensive sensitive information disclosure. In practice, this could give an attacker complete control over a critical building management system from the outside,” Claroty said.
“Data center servers generate enormous amounts of heat, and an HVAC failure is far more than a comfort issue. It can trigger thermal shutdowns, damage expensive hardware, cause major service disruptions, and lead to millions of dollars in losses,” the company noted.
Claroty reported its findings to Trane and Vertiv and worked with them to patch the vulnerabilities.
Related: ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Phoenix Contact
Related: Real-World ICS Security Tales From the Trenches
Related: Critical Vulnerability Exposes Industrial Robot Fleets to Hacking
