Pentagrid identified several vulnerabilities in the PE8108 rack power distribution unit (PDU) manufactured by Aten. The PE8108 is an outlet-metered and switched rack-mountable PDU, which means it supports measuring power of connected devices on a per-outlet basis and allows switching individual outlets on and off. The PDU can be controlled, for example, via HTTP/HTTPS and Telnet. Therefore, the PDU provides authentication and supports multiple users with the option to restrict a user's access to certain outlets. During a review, Pentagrid found authorization checks to be broken in several places, which might lead to a compromise of the appliance. Since the main purpose of the PDU is to distribute power to data center components, the main threat is that attackers switch off parts of the infrastructure.
2022-12-28: Vulnerabilities found.
2022-12-30: Further vulnerabilities found and preliminary advisory written.
2022-12-31: Initial contact for coordinated disclosure via Aten's technical request contact form (SR# K221214216-824). Pentagrid's disclosure policy was communicated.
2023-01-03: Pentagrid provided the preliminary advisory and further details.
2023-01-10: Aten provided the estimation that a new release will be available earliest in Q1 2023.
2023-01-10: Pentagrid communicated 2023-04-03 as date for adisory release in accordance to a 90 days period in Pentagrid's disclosure policy.
2023-03-02: A few CVE-IDs have been assigned.
2023-03-19: Tried to get a status via the technical support, but the support web interface does not allow to send further messages within the existing support case. Tried to send an e-mail to email@example.com, but received a mail bounce.
2023-04-03: Advisory published. No updated firmware was found to be published.
2023-08-02: Aten did not provide an update until now.
The identified vulnerabilities affect an Aten PE8108G running firmware version 2.4.232 released on 22 November 2022. Other firmware versions are likely affected as well.
2. Weak session management
The web interface provides a session management. As described above, there are several authorization weaknesses, but the session management itself has also weaknesses, which are summerized here. In general, the web application identifies a session via the
SID parameter, which is a 16 hex-digit long session identifier. When a user logs into the PDU's web interface, the browser sends a username and password along with a client-generated session ID. On authentication success, the session ID is then bound to the authenticated session.
2.1 Sensitive session ID transferred via URL parameter
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N, 0.0 Information
This session ID is sensitive information. The browser sends this SID as URL parameter to the web interface. URL parameters are usually an inadequate place to store sensitive information, because parameter values may leak through proxy server, browser histories, browser plugins, SSL intercepting proxies, etc. Corresponding example URLs are shown in this advisory. The session ID may also leak via HTTP referrer, which the application does not control, for example via a referrer policy.
Impact: If a session ID leaks, an attacker is able to compromise a session. With access to the web interface, most PDU functions would be usable.
Precondition: An attacker must be able to obtain a session ID (for example via a leak). The session must be valid and the attacker needs direct or indirect access to the PDU's web interface.
2.2 Potential session fixation
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N, 0.0 Information
The web browser generates the session ID. During the login, the session ID is bound to an authentication state. If an attacker was able to define the session ID before authentication to a known value, the session would be compromised. This could be possible in combination with a cross site scripting vulnerability, but no such vulnerability was found.
Impact: If an attacker is able to set a session ID, the sessions would be compromised. With access to the web interface, most PDU functions would then be usable.
Details: During the authentication, the browser sends an HTTP POST request similar to the following:
POST /xml/login_result.xml?SID=0123456789abcdef HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 44 username=administrator&password=secret123456
The session ID (here
0123456789abcdef) could then be used for further HTTP requests.
A value of 0 for
LoginValidate means an authentication success. Any other non-zero value indicates an error. As far as observed, 1 is returned for an invalid username/password pair. The server returns a 3 for too many password fails and 4 indicates a still running user session, if only a single session is allowed.
Precondition: The attacker must be able to control the session ID and needs direct or indirect access to the PDU's web interface to use its functions.
2.3 No explicit CSRF protection (CVE-2023-25411)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N, 4.7 Medium
There is no explicit protection regarding Cross-Site Request Forgery (CSRF).
Impact: In combination with unauthenticated functions, an attacker could alter configuration in the PDU, which could facilitate further attack steps.
Details: In a CSRF attack, the attacker remote-controls a target application by abusing a web browser mechanism to append authentication data, when the browser sends requests to a web application. This does not require an attacker to access the targeted web interface. Instead, another user's web browser is leveraged to perform authenticated requests to the targeted web interface.
The PDU's web interface does not rely on browser cookies, which would be automatically sent along with requests, but uses the
SID URL parameter. An implicit CSRF protection is partially given via the
SID parameter, which has a similar effect as an anti-CSRF token. However, as documented in this advisory, the web application does not verify the
SID parameter for several API calls and when this is not done for state-changing API calls, there is also no CSRF protection. For example, this is the case for the unauthenticated session termination.
Precondition: An attacker must be able to trick a target user's browser to send HTTP requests to the target application. There must be an unauthenticated function to call.
/lib/jquery-1.7.1.js: This library is affected by CVE-2012-6708, CVE-2015-9251, CVE-2019-11358, CVE-2020-7656, CVE-2020-11022, CVE-2020-11023.
/lib/jquery-ui-1.8.18.custom.min.js: This library is affected by CVE-2010-5312, CVE-2012-6662, CVE-2016-7103, CVE-2022-31160, CVE-2021-41182, CVE-2021-41184, CVE-2021-41183.
All these vulnerabilities are of low to medium criticality. It has not been tested if these vulnerabilities can be exploited.
Precondition: An attacker must be able to exploit a vulnerability in one of these libraries.
Patches and Workaround
Recommendation for the vendor:
Pentagrid recommends to address the vulnerabilities found.
Recommendation for users:
At the time of publication, the most recent firmware is version 2.4.232 from 2022-11-22 and there is no new firmware available via Aten's website. Pentagrid recommends avoiding to expose management interfaces as a matter of attack surface reduction. Ideally, management interfaces are only accessible from a management network segment. Once an update is published, Pentagrid recommends to review the change-log and to install the update. Updates are likley published at the product page under Support and Downloads.
These vulnerabilities have been found by Martin Schobert (Pentagrid).