Multiple vulnerabilities in Eaton Intelligent Power Manager

1) SQL injection

EUVDB-ID: #VU52450

Risk: Low

CVSSv4.0: 4.8 [CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-23276

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker on the local network can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Intelligent Power Manager: before 1.69

Intelligent Power Manager Virtual Appliance: before 1.69

Intelligent Power Protector: before 1.68

CPE2.3

• cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*
• cpe:2.3:a:eaton:intelligent_power_manager_virtual_appliance:*:*:*:*:*:*:*:*
• cpe:2.3:a:eaton:intelligent_power_protector:*:*:*:*:*:*:*:*

External links

https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Eval Injection

EUVDB-ID: #VU52451

Risk: Medium

CVSSv4.0: 5.2 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-23277

CWE-ID: CWE-95 - Eval Injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to the affected software does not neutralize code syntax from users before using in the dynamic evaluation call in the "loadUserFile" function under scripts/libs/utils.js. A remote attacker on the local network can control the input to the function and execute attacker-controlled commands.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Intelligent Power Manager: before 1.69

Intelligent Power Manager Virtual Appliance: before 1.69

Intelligent Power Protector: before 1.68

CPE2.3

• cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*
• cpe:2.3:a:eaton:intelligent_power_manager_virtual_appliance:*:*:*:*:*:*:*:*
• cpe:2.3:a:eaton:intelligent_power_protector:*:*:*:*:*:*:*:*

External links

https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU52452

Risk: Low

CVSSv4.0: 4.8 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-23278

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient validation of user-supplied input in the "removeBackground" function in "server/maps_srv.js" and "removeFirmware" function in "server/node_upgrade_srv.js". A remote authenticated attacker on the local network can send specially crafted packets to delete the files on the system where IPM software is installed.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intelligent Power Manager: before 1.69

Intelligent Power Manager Virtual Appliance: before 1.69

Intelligent Power Protector: before 1.68

CPE2.3

• cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*
• cpe:2.3:a:eaton:intelligent_power_manager_virtual_appliance:*:*:*:*:*:*:*:*
• cpe:2.3:a:eaton:intelligent_power_protector:*:*:*:*:*:*:*:*

External links

https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

EUVDB-ID: #VU52453

Risk: Medium

CVSSv4.0: 2.4 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-23279

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to delete arbitrary files on the target system.

The vulnerability exists due to insufficient validation of user-supplied input in the "saveDriverData" function in meta_driver_srv.js class using invalidated driverID. A remote attacker on the local network can send specially crafted packets to delete the files on the system where IPM software is installed.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intelligent Power Manager: before 1.69

Intelligent Power Manager Virtual Appliance: before 1.69

Intelligent Power Protector: before 1.68

CPE2.3

• cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*
• cpe:2.3:a:eaton:intelligent_power_manager_virtual_appliance:*:*:*:*:*:*:*:*
• cpe:2.3:a:eaton:intelligent_power_protector:*:*:*:*:*:*:*:*

External links

https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Arbitrary file upload

EUVDB-ID: #VU52456

Risk: Low

CVSSv4.0: 4.8 [CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-23280

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload within the "uploadBackground" function in "maps_srv.js". A remote authenticated attacker on the local network can upload a malicious file and execute it on the server.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Intelligent Power Manager: before 1.69

Intelligent Power Manager Virtual Appliance: before 1.69

Intelligent Power Protector: before 1.68

CPE2.3

• cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*
• cpe:2.3:a:eaton:intelligent_power_manager_virtual_appliance:*:*:*:*:*:*:*:*
• cpe:2.3:a:eaton:intelligent_power_protector:*:*:*:*:*:*:*:*

External links

https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Code Injection

EUVDB-ID: #VU52459

Risk: Medium

CVSSv4.0: 5.2 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-23281

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in the "coverterCheckList" function in meta_driver_srv.js class. A remote attacker on the local network can send a specially crafted packet and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intelligent Power Protector: before 1.68

Intelligent Power Manager: before 1.69

Intelligent Power Manager Virtual Appliance: before 1.69

CPE2.3

• cpe:2.3:a:eaton:intelligent_power_protector:*:*:*:*:*:*:*:*
• cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*
• cpe:2.3:a:eaton:intelligent_power_manager_virtual_appliance:*:*:*:*:*:*:*:*

External links

https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.