Some uninterruptible energy provide (UPS) merchandise made by Socomec are affected by a number of vulnerabilities that may be exploited to hijack and disrupt units.
Socomec is a France-based electrical tools manufacturing firm that makes a speciality of low voltage power efficiency. Its providing contains modular UPS units which can be utilized by companies in varied sectors all over the world.
Aaron Flecha Menendez, an ICS security advisor at Spain-based cybersecurity agency S21sec, found that some Socomec UPS units, particularly MODULYS GP (MOD3GP-SY-120K), are affected by seven vulnerabilities.
The checklist contains cross-site scripting (XSS), plaintext password storage, code injection, session cookie theft, cross-site request forgery (CSRF), and insecure storage of delicate data, with severities starting from ‘medium’ to ‘important’.
US cybersecurity company CISA final week printed an advisory to inform organizations about these vulnerabilities, declaring that the impacted product has reached finish of life.
Organizations have been suggested by the seller to cease utilizing the outdated product and improve to MODULYS GP2 (M4-S-XXX), which shouldn’t be impacted by the security flaws.
Companies nonetheless utilizing the weak product could possibly be exposing themselves to important dangers, because the security holes can enable an attacker who has data of how the system works to switch its conduct and forestall it from functioning correctly.
“Among the many situations that may be achieved, the worst-case situation would undoubtedly be disrupting the UPS administration and affecting its skill to supply backup energy,” Flecha Menendez informed information.killnetswitch.
Thankfully, there don’t look like any weak UPS merchandise which can be straight uncovered to the web. Nonetheless, an attacker who’s contained in the focused group’s community may chain among the MODULYS GP vulnerabilities for the next impression.
“Using the ‘unsafe storage of delicate data’ vulnerability (CVE-2023-41965), permits acquiring a legitimate session cookie that doesn’t expire (CVE-2023-41084), which may then be used for distant code injection (CVE-2023-40221). The mixture of those 3 vulnerabilities would enable the attacker to realize full management of the machine on the administration degree and have an effect on its appropriate functioning,” the researcher defined.
The researcher has not examined the newer product fashions so he can’t affirm that they’re certainly not affected by the vulnerabilities, as claimed by the seller.
It’s essential that organizations utilizing the weak product take motion, as assaults focusing on UPS units should not unparalleled. The US authorities final 12 months issued a warning to companies about such assaults, offering steering on how the menace could be mitigated.
