Web interface flaw threatens reliability of cyber-physical systems
When considering device vulnerabilities, we often think of loopholes in low-level software stack protocols. However, the web interface used to manage many OT and IoT devices today is a significant risk area.
Recently, we analyzed a power distribution unit (PDU), the Schneider Electric / APC AP7920B, in our lab and discovered a vulnerability in its web interface. We reported it through a responsible disclosure process, and CISA and Schneider Electric published ICS-CERT Notice ICSA-21-348-02 and SEVD-2021-348-04, respectively, publicly disclosing it. This is the latest in a series of research findings from Nozomi Networks regarding OT and IoT security.
A PDU is a device used to monitor and distribute electrical power to equipment connected to it. If a malicious actor obtains privileged access to a PDU, he can close outlets and cause the equipment to restart, thus risking operational availability.
The Schneider Electric / APC PDU in question is a switched rack unit used in physical infrastructure such as power, transportation, and water / wastewater systems. The vulnerability we discovered applied when its management software was used with the latest versions of certain browsers available at time of research. This means that approximately ten percent of all desktop browsers in the world could have been successfully exploited to execute an attack.1
In this article, we describe PDUs, web security fundamentals, and the AP7920B vulnerability. This particular issue, along with other security loopholes, could allow an attacker to elevate their low-level application privileges to high-level, providing the necessary permissions and opportunities to shut down or damage the equipment. connected.