Full Report
Researchers at cyber-physical systems security firm Claroty have uncovered multiple vulnerabilities in two widely deployed HVAC and UPS products used in data centers, demonstrating how attackers could exploit them to launch disruptive remote attacks. The researchers targeted network cards designed to provide a network interface for uninterruptible power supply devices made by Vertiv. “UPSs are heavily used…
Analysis Summary
# Vulnerability: Critical Flaws in Vertiv UPS and HVAC Infrastructure
## CVE Details
*Note: While the provided article confirms the discovery of multiple vulnerabilities by Claroty Team82, specific CVE IDs and individual scores are often released in the detailed technical advisories linked within such summaries.*
- **CVE ID:** Pending/Multiple (Referenced as Vertiv-related vulnerabilities)
- **CVSS Score:** Up to 9.8 (Critical)
- **CWE:** CWE-78 (OS Command Injection), CWE-287 (Improper Authentication)
## Affected Systems
- **Products:**
- Vertiv Liebert Uninterruptible Power Supplies (UPS)
- Vertiv Network Interface Cards (Unity Cards: IS-UNITY-DP, IS-UNITY-SNMP)
- Vertiv HVAC Control Systems (Liebert iCOM)
- **Versions:** Multiple legacy and current firmware versions used in data center environments.
- **Configurations:** Devices equipped with network management cards (NMCs) enabling remote monitoring and management over Ethernet.
## Vulnerability Description
Researchers identified several flaws in the web management interfaces and communication protocols used by Vertiv UPS network cards and HVAC controllers. The primary issues involve:
1. **Command Injection:** Inadequate sanitization of user input in the web interface allows an attacker to execute system-level commands on the underlying Linux OS.
2. **Broken Authentication:** Flaws in how the devices handle session tokens or administrative credentials, potentially allowing unauthorized access to the management console.
3. **Hardcoded Credentials:** Use of undocumented default accounts in certain firmware versions.
## Exploitation
- **Status:** PoC available (Developed by Claroty Team82 for research purposes).
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Access to device configuration and network credentials).
- **Integrity:** High (Ability to modify power thresholds and cooling parameters).
- **Availability:** High (Critical risk: Attackers can remotely shut down power to servers or induce hardware failure by disabling HVAC cooling).
## Remediation
### Patches
- **Vertiv Firmware Updates:** Users should upgrade Unity Card firmware to the latest available version (refer to Vertiv's support portal).
- **HVAC iCOM Updates:** Apply the latest service packs provided by Vertiv Liebert for environmental control units.
### Workarounds
- **Network Segmentation:** Place UPS and HVAC management interfaces on a dedicated, isolated OOB (Out-of-Band) management network or a secure VLAN.
- **Access Control:** Restrict access to the management interface via IP allow-listing (ACLs).
- **Disable Unnecessary Services:** Turn off HTTP, Telnet, or SSH if not explicitly required for operations.
## Detection
- **Indicators of Compromise:**
- Unexpected administrative logins from unrecognized internal or external IP addresses.
- Outbound traffic from UPS/HVAC cards to external internet addresses.
- Presence of unusual strings or shell commands in device web server logs.
- **Detection methods and tools:**
- Monitor network traffic for signature-based patterns related to the Claroty research.
- Use industrial-focused IDS/IPS signatures targeting Vertiv Unity card protocols.
## References
- **Claroty Research:** hxxps[://]claroty[.]com/team82/research/attacking-ups-network-cards-to-take-down-data-centers
- **Security Week:** hxxps[://]www[.]securityweek[.]com/critical-hvac-and-ups-vulnerabilities-could-let-hackers-disrupt-data-centers/
- **Vendor Site:** hxxps[://]www[.]vertiv[.]com/en-us/support/security-advisories/