Some uninterruptible power supply (UPS) products made by Socomec are affected by several vulnerabilities that can be exploited to hijack and disrupt devices.
Socomec is a France-based electrical equipment manufacturing company that specializes in low voltage energy performance. Its offering includes modular UPS devices that are used by businesses in various sectors around the world.
Aaron Flecha Menendez, an ICS security consultant at Spain-based cybersecurity firm S21sec, discovered that some Socomec UPS devices, specifically MODULYS GP (MOD3GP-SY-120K), are affected by seven vulnerabilities.
The list includes cross-site scripting (XSS), plaintext password storage, code injection, session cookie theft, cross-site request forgery (CSRF), and insecure storage of sensitive information, with severities ranging from ‘medium’ to ‘critical’.
US cybersecurity agency CISA last week published an advisory to notify organizations about these vulnerabilities, pointing out that the impacted product has reached end of life.
Organizations have been advised by the vendor to stop using the outdated product and upgrade to MODULYS GP2 (M4-S-XXX), which should not be impacted by the security flaws.
Businesses still using the vulnerable product could be exposing themselves to significant risks, as the security holes can allow an attacker who has knowledge of how the system works to modify its behavior and prevent it from functioning properly.
“Among the scenarios that can be achieved, the worst-case scenario would undoubtedly be disrupting the UPS management and affecting its ability to provide backup power,” Flecha Menendez told SecurityWeek.
Fortunately, there do not appear to be any vulnerable UPS products that are directly exposed to the internet. However, an attacker who is inside the targeted organization’s network could chain some of the MODULYS GP vulnerabilities for a higher impact.
“The use of the ‘unsafe storage of sensitive information’ vulnerability (CVE-2023-41965), allows obtaining a valid session cookie that does not expire (CVE-2023-41084), which can then be used for remote code injection (CVE-2023-40221). The combination of these 3 vulnerabilities would allow the attacker to gain full control of the device at the management level and affect its correct functioning,” the researcher explained.
The researcher has not tested the newer product models so he cannot confirm that they are indeed not affected by the vulnerabilities, as claimed by the vendor.
It’s important that organizations using the vulnerable product take action, as attacks targeting UPS devices are not unheard of. The US government last year issued a warning to businesses about such attacks, providing guidance on how the threat can be mitigated.
Related: Power Management Product Flaws Can Expose Data Centers to Damaging Attacks, Spying
Related: CISA Informs Organizations of Flaws in Unsupported Industrial Telecontrol Devices
Related: Millions of APC Smart UPS Devices Can Be Remotely Hacked, Damaged