Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Vulnerabilities Allow Hackers to Hijack, Disrupt Socomec UPS Devices

A researcher has found 7 vulnerabilities in Socomec UPS products that can be exploited to hijack and disrupt devices. 

Some uninterruptible power supply (UPS) products made by Socomec are affected by several vulnerabilities that can be exploited to hijack and disrupt devices.

Socomec is a France-based electrical equipment manufacturing company that specializes in low voltage energy performance. Its offering includes modular UPS devices that are used by businesses in various sectors around the world.

Aaron Flecha Menendez, an ICS security consultant at Spain-based cybersecurity firm S21sec, discovered that some Socomec UPS devices, specifically MODULYS GP (MOD3GP-SY-120K), are affected by seven vulnerabilities.

The list includes cross-site scripting (XSS), plaintext password storage, code injection, session cookie theft, cross-site request forgery (CSRF), and insecure storage of sensitive information, with severities ranging from ‘medium’ to ‘critical’.

US cybersecurity agency CISA last week published an advisory to notify organizations about these vulnerabilities, pointing out that the impacted product has reached end of life. 

Organizations have been advised by the vendor to stop using the outdated product and upgrade to MODULYS GP2 (M4-S-XXX), which should not be impacted by the security flaws.

Businesses still using the vulnerable product could be exposing themselves to significant risks, as the security holes can allow an attacker who has knowledge of how the system works to modify its behavior and prevent it from functioning properly. 

“Among the scenarios that can be achieved, the worst-case scenario would undoubtedly be disrupting the UPS management and affecting its ability to provide backup power,” Flecha Menendez told SecurityWeek.

Advertisement. Scroll to continue reading.

Fortunately, there do not appear to be any vulnerable UPS products that are directly exposed to the internet. However, an attacker who is inside the targeted organization’s network could chain some of the MODULYS GP vulnerabilities for a higher impact.

“The use of the ‘unsafe storage of sensitive information’ vulnerability (CVE-2023-41965), allows obtaining a valid session cookie that does not expire (CVE-2023-41084), which can then be used for remote code injection (CVE-2023-40221). The combination of these 3 vulnerabilities would allow the attacker to gain full control of the device at the management level and affect its correct functioning,” the researcher explained. 

The researcher has not tested the newer product models so he cannot confirm that they are indeed not affected by the vulnerabilities, as claimed by the vendor. 

It’s important that organizations using the vulnerable product take action, as attacks targeting UPS devices are not unheard of. The US government last year issued a warning to businesses about such attacks, providing guidance on how the threat can be mitigated. 

UPDATE: On November 13, 2023, Socomec representatives sent the following statement to SecurityWeek (slightly edited for clarity):

The UPS model on which the vulnerability has been discover is an old generation UPS that was phased out, stopping its production in 2014. 10 years ago, the Cyber Security topic was not a major factor and above all that machine only had the possibility of being connected to a LAN at the customer’s premises without the possibility of a direct connection to the internet; meaning that any IT problems would only be caused by someone who has the right to access inside the customer’s company network.

The current Modulys UPS model is a brand new generation in terms of system, power modules, firmware and communication features; it is in production since 2015, replacing the previous generation. This unit can be equipped with an independent network interface board to be connected to LAN and Internet in order to deliver web monitoring and remote maintenance services.

However this network interface that includes IoT access has been tested by a qualified 3rd party body through pen testing with official reporting on cyber security following the required safety standards ISO27002:2022.

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta
www.icscybersecurityconference.com

Related: Power Management Product Flaws Can Expose Data Centers to Damaging Attacks, Spying

Related: CISA Informs Organizations of Flaws in Unsupported Industrial Telecontrol Devices

Related: Millions of APC Smart UPS Devices Can Be Remotely Hacked, Damaged

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.