I was able to simply remove the login procedure. When I then test a wrong password to check whether the password from the CLI works, I found that the devices can still be switched on and off.Īt first I thought there was something in the cache, but when I realized that a finished Python script does not use data from a cache somewhere when I restart it, it was clear where I was going. Important parameters then via CLI parameters (IP, user, password, PDU output port, on/off/cycle) passed and sanitize. The usual procedure: Trace the json requests sent back and forth in Firefox and transfer them to Python. Since I had been using Python scripts to address other devices via librequests anyway, I just did the same here. It was simple as can be: the device has no CLI, but should be able to be turned on and off from an application interface. Here are the reader's responses, which I have slightly edited: I then contacted the reader by email, asking for details and offering to contact the manufacturer and, if necessary, the BSI. The reader, who wishes to remain anonymous, asked who he could contact. The manufacturer does not want to fix this backdoor, although the devices connected to the unit can be switched on and off remotely via http without access data. On June 11, 2022, a blog reader commented that he had encountered a backdoor in a power delivery unit used in data centers. Since Septemis also the end of the 90 days I set as the deadline for a responsible disclosure, I would have disclosed the details even without a patch now. I've been after this issue since June 2022, a few days ago the manufacturer TechLogix Networx has now provided an update that removes this vulnerability. A backdoor exists in the firmware of this power delivery unit in older versions that would allow third parties to turn on or off devices connected to the unit without further authentication.
0 kommentar(er)
