There is a path traversal vulnerability in certain legacy Eaton ePDUs that are past end-of-life (EoL) and no longer receives support, but Eaton provided defense-in-depth mitigation instructions to protect devices still in use, according to a report with ICS-CERT.
This vulnerability, discovered by independent researcher Maxim Rupp, could end up remotely exploitable.
Eaton reports the vulnerability affects the following products:
• EAMxxx prior to June 30, 2015
• EMAxxx prior to January 31, 2014
• EAMAxx prior to January 31, 2014
• EMAAxx prior to January 31, 2014
• ESWAxx prior to January 31, 2014
An unauthenticated attacker may be able to exploit this vulnerability to access configuration files.
Eaton is a U.S.-based company that maintains offices worldwide.
The affected products, ePDUs, are rack-mounted power distribution units. Eaton said ePDUs end up deployed across several sectors including commercial facilities, critical manufacturing, energy, water and wastewater systems, and others. Eaton said these products see use on a global basis.
In the path traversal vulnerability, an unauthenticated attacker may be able to access configuration files with a specially crafted URL.
CVE-2016-9357 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill level would be able to exploit this vulnerability.
Eaton declared these products EoL on January 31, 2014, and June 30, 2015. Eaton recommended users of the affected legacy products follow the recommendations outlined in the defense in depth section of Eaton’s whitepaper entitled “Cybersecurity considerations for electrical distribution systems.”
Additional information regarding these and other legacy products can be found on the Eaton web site.