Researchers have discovered several potentially serious vulnerabilities affecting monitoring, cooling and power distribution products made by Germany-based Rittal.
According to Austria-based cybersecurity company SEC Consult, Rittal’s CMC III industrial and IT monitoring system, LCP CW cooling system, and the entire portfolio of power distribution units (PDU) are impacted by six types of vulnerabilities. The affected products all use the same base firmware.
The vendor was informed about the vulnerabilities in late January and it has released patches for impacted products, except for PDUs. It’s unclear if these devices will ever receive fixes since the vendor is preparing to release a new product, SEC Consult said.
SecurityWeek has reached out to Rittal for clarifications, but the company has yet to respond.
The vulnerabilities, which have been described by SEC Consult as critical, can be exploited to bypass restrictions, obtain elevated privileges, and execute arbitrary commands.
One vulnerability is related to the command-line interface (CLI) menu where users can configure a device when connecting to it via SSH. An attacker can escape the menu and access the entire filesystem with the account used for SSH login, which can be useful for conducting further attacks.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
SEC Consult researchers also found that important operating system files such as /etc/shadow and /etc/passwd can be read and modified by any authenticated user. For instance, an attacker with low-privileged access to the device can modify the shadow file to elevate privileges to root.
The researchers also noticed that the devices use the same password for the root account. This was determined based on the password hash contained in the shadow file, but the hash has yet to be cracked, which is why the vendor says it cannot be exploited.
Rittal products are also affected by a command injection vulnerability in the web interface, specifically the NTP server IP address settings. An attacker who has admin privileges can exploit this to execute commands with root permissions.
Another issue is that the web server runs with root privileges, which means that this type of command injection vulnerability would allow an attacker to escalate privileges to root on the whole device.
The Rittal products have also been found to use outdated versions of third-party software, including OpenSSL and the Linux kernel, which can contain serious vulnerabilities.
SEC Consult has only released proof-of-concept (PoC) code for the command injection vulnerability since this is the only issue that has been patched in all of the impacted products.
The cybersecurity firm told SecurityWeek that the impacted devices are typically not accessible from the internet, but Shodan has found a few internet-exposed devices, which could have been made accessible on purpose or due to misconfigurations.
An attacker who has access to the targeted device can exploit the command injection vulnerability to gain root privileges. While exploitation requires access to the product’s admin panel, an attacker could try to obtain this access using default credentials. These default credentials, such as admin-admin and pdu-pdu, are mentioned in product documentation and SEC Consult found during its tests that the default values were in most cases not changed.
An attacker could also attempt to log in via SSH using the default admin username and brute-force the root password. They could then use the su (substitute user) command to elevate privileges, SEC Consult explained.
Related: Critical Vulnerabilities Found in Rittal Cooling System