Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Vulnerabilities Impact Multiple Rittal Products Due to Use of Same Firmware

Researchers have discovered several potentially serious vulnerabilities affecting monitoring, cooling and power distribution products made by Germany-based Rittal.

Researchers have discovered several potentially serious vulnerabilities affecting monitoring, cooling and power distribution products made by Germany-based Rittal.

According to Austria-based cybersecurity company SEC Consult, Rittal’s CMC III industrial and IT monitoring system, LCP CW cooling system, and the entire portfolio of power distribution units (PDU) are impacted by six types of vulnerabilities. The affected products all use the same base firmware.

The vendor was informed about the vulnerabilities in late January and it has released patches for impacted products, except for PDUs. It’s unclear if these devices will ever receive fixes since the vendor is preparing to release a new product, SEC Consult said.

SecurityWeek has reached out to Rittal for clarifications, but the company has yet to respond.

The vulnerabilities, which have been described by SEC Consult as critical, can be exploited to bypass restrictions, obtain elevated privileges, and execute arbitrary commands.

One vulnerability is related to the command-line interface (CLI) menu where users can configure a device when connecting to it via SSH. An attacker can escape the menu and access the entire filesystem with the account used for SSH login, which can be useful for conducting further attacks.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

SEC Consult researchers also found that important operating system files such as /etc/shadow and /etc/passwd can be read and modified by any authenticated user. For instance, an attacker with low-privileged access to the device can modify the shadow file to elevate privileges to root.

Advertisement. Scroll to continue reading.

The researchers also noticed that the devices use the same password for the root account. This was determined based on the password hash contained in the shadow file, but the hash has yet to be cracked, which is why the vendor says it cannot be exploited.

Rittal products are also affected by a command injection vulnerability in the web interface, specifically the NTP server IP address settings. An attacker who has admin privileges can exploit this to execute commands with root permissions.

Another issue is that the web server runs with root privileges, which means that this type of command injection vulnerability would allow an attacker to escalate privileges to root on the whole device.

The Rittal products have also been found to use outdated versions of third-party software, including OpenSSL and the Linux kernel, which can contain serious vulnerabilities.

SEC Consult has only released proof-of-concept (PoC) code for the command injection vulnerability since this is the only issue that has been patched in all of the impacted products.

The cybersecurity firm told SecurityWeek that the impacted devices are typically not accessible from the internet, but Shodan has found a few internet-exposed devices, which could have been made accessible on purpose or due to misconfigurations.

An attacker who has access to the targeted device can exploit the command injection vulnerability to gain root privileges. While exploitation requires access to the product’s admin panel, an attacker could try to obtain this access using default credentials. These default credentials, such as admin-admin and pdu-pdu, are mentioned in product documentation and SEC Consult found during its tests that the default values were in most cases not changed.

An attacker could also attempt to log in via SSH using the default admin username and brute-force the root password. They could then use the su (substitute user) command to elevate privileges, SEC Consult explained.

Related: Critical Vulnerabilities Found in Rittal Cooling System

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.