Some uninterruptible power supply (UPS) products made by Socomec are affected by several vulnerabilities that can be exploited to hijack and disrupt devices.
Socomec is a France-based electrical equipment manufacturing company that specializes in low voltage energy performance. Its offering includes modular UPS devices that are used by businesses in various sectors around the world.
Aaron Flecha Menendez, an ICS security consultant at Spain-based cybersecurity firm S21sec, discovered that some Socomec UPS devices, specifically MODULYS GP (MOD3GP-SY-120K), are affected by seven vulnerabilities.
The list includes cross-site scripting (XSS), plaintext password storage, code injection, session cookie theft, cross-site request forgery (CSRF), and insecure storage of sensitive information, with severities ranging from ‘medium’ to ‘critical’.
US cybersecurity agency CISA last week published an advisory to notify organizations about these vulnerabilities, pointing out that the impacted product has reached end of life.
Organizations have been advised by the vendor to stop using the outdated product and upgrade to MODULYS GP2 (M4-S-XXX), which should not be impacted by the security flaws.
Businesses still using the vulnerable product could be exposing themselves to significant risks, as the security holes can allow an attacker who has knowledge of how the system works to modify its behavior and prevent it from functioning properly.
“Among the scenarios that can be achieved, the worst-case scenario would undoubtedly be disrupting the UPS management and affecting its ability to provide backup power,” Flecha Menendez told SecurityWeek.
Fortunately, there do not appear to be any vulnerable UPS products that are directly exposed to the internet. However, an attacker who is inside the targeted organization’s network could chain some of the MODULYS GP vulnerabilities for a higher impact.
“The use of the ‘unsafe storage of sensitive information’ vulnerability (CVE-2023-41965), allows obtaining a valid session cookie that does not expire (CVE-2023-41084), which can then be used for remote code injection (CVE-2023-40221). The combination of these 3 vulnerabilities would allow the attacker to gain full control of the device at the management level and affect its correct functioning,” the researcher explained.
The researcher has not tested the newer product models so he cannot confirm that they are indeed not affected by the vulnerabilities, as claimed by the vendor.
It’s important that organizations using the vulnerable product take action, as attacks targeting UPS devices are not unheard of. The US government last year issued a warning to businesses about such attacks, providing guidance on how the threat can be mitigated.
UPDATE: On November 13, 2023, Socomec representatives sent the following statement to SecurityWeek (slightly edited for clarity):
The UPS model on which the vulnerability has been discover is an old generation UPS that was phased out, stopping its production in 2014. 10 years ago, the Cyber Security topic was not a major factor and above all that machine only had the possibility of being connected to a LAN at the customer’s premises without the possibility of a direct connection to the internet; meaning that any IT problems would only be caused by someone who has the right to access inside the customer’s company network.
The current Modulys UPS model is a brand new generation in terms of system, power modules, firmware and communication features; it is in production since 2015, replacing the previous generation. This unit can be equipped with an independent network interface board to be connected to LAN and Internet in order to deliver web monitoring and remote maintenance services.
However this network interface that includes IoT access has been tested by a qualified 3rd party body through pen testing with official reporting on cyber security following the required safety standards ISO27002:2022.
Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
October 23-26, 2023 | Atlanta
www.icscybersecurityconference.com
Related: Power Management Product Flaws Can Expose Data Centers to Damaging Attacks, Spying
Related: CISA Informs Organizations of Flaws in Unsupported Industrial Telecontrol Devices
Related: Millions of APC Smart UPS Devices Can Be Remotely Hacked, Damaged