FKIE_CVE-2022-33174

Vulnerability from fkie_nvd - Published: 2022-06-13 18:15 - Updated: 2024-11-21 07:07
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 allows remote authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext.
References
cve@mitre.orghttps://gynvael.coldwind.pl/?lang=en&id=748Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://gynvael.coldwind.pl/?lang=en&id=748Exploit, Third Party Advisory
Impacted products
Vendor Product Version
powertekpdus basic_pdu_firmware *
powertekpdus basic_pdu -
powertekpdus pm_pdu_firmware *
powertekpdus pm_pdu -
powertekpdus piml_pdu_firmware *
powertekpdus piml_pdu -
powertekpdus smart_pim_firmware *
powertekpdus smart_pim -
powertekpdus smart_pos_firmware *
powertekpdus smart_pos -
powertekpdus smart_pom_firmware *
powertekpdus smart_pom -
powertekpdus smart_poms_firmware *
powertekpdus smart_poms -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:powertekpdus:basic_pdu_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "24FD9B82-5D75-491E-9D64-19B673378568",
              "versionEndExcluding": "3.30.30",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:powertekpdus:basic_pdu:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "960D65C6-F07C-4B85-8381-E90AE84F1A3B",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:powertekpdus:pm_pdu_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F8331ED3-08F5-4262-8F10-6ABE8394764D",
              "versionEndExcluding": "3.30.30",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:powertekpdus:pm_pdu:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BA48F31E-2ACD-4E3C-870E-726A38C04EB1",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:powertekpdus:piml_pdu_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E5AABA79-C8D8-4C7F-8140-8B95E176CE3D",
              "versionEndExcluding": "3.30.30",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:powertekpdus:piml_pdu:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5BBF300E-47B2-47FF-91C9-B0EA4473C476",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:powertekpdus:smart_pim_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "72E649EC-CCAC-4D52-9917-AF5F98D9A385",
              "versionEndExcluding": "3.30.30",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:powertekpdus:smart_pim:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF6DEFFC-E208-42AA-9A86-9BEC62A95362",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:powertekpdus:smart_pos_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "89A6F4C3-CA16-4CE4-BBBC-B477A8CF58AC",
              "versionEndExcluding": "3.30.30",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:powertekpdus:smart_pos:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "733D34C9-2249-4D5B-8CBC-C905B8FD0CF5",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:powertekpdus:smart_pom_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7B2899F7-848E-4115-A5CA-E8372538999D",
              "versionEndExcluding": "3.30.30",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:powertekpdus:smart_pom:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BFEFC68A-5C05-4D12-9A53-AAC7E74C164B",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:powertekpdus:smart_poms_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A783F76-C41A-4295-B2F6-E9BD9D5AC6B5",
              "versionEndExcluding": "3.30.30",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:powertekpdus:smart_poms:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C57A1A7-ED1B-46E5-A708-435FF8105DA7",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 allows remote authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext."
    },
    {
      "lang": "es",
      "value": "Las unidades de distribuci\u00f3n de energ\u00eda que son ejecutadas con el firmware de Powertek (varias marcas) versiones anteriores a 3.30.30, permiten omitir la autorizaci\u00f3n remota en la interfaz web. Para explotar la vulnerabilidad, un atacante debe enviar un paquete HTTP a la interfaz de recuperaci\u00f3n de datos (/cgi/get_param.cgi) con la cookie tmpToken configurada con una cadena vac\u00eda seguida de un punto y coma. Esto evita la comprobaci\u00f3n de la autorizaci\u00f3n de la sesi\u00f3n activa. Esto puede ser usado para conseguir los valores de los campos protegidos sys.passwd y sys.su.name que contienen el nombre de usuario y la contrase\u00f1a en texto sin cifrar"
    }
  ],
  "id": "CVE-2022-33174",
  "lastModified": "2024-11-21T07:07:39.170",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "cve@mitre.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-06-13T18:15:10.230",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://gynvael.coldwind.pl/?lang=en\u0026id=748"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://gynvael.coldwind.pl/?lang=en\u0026id=748"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.