When considering device vulnerabilities, we often think of flaws in low-level protocols in software stacks. However, the web interface used to manage many of today’s OT and IoT devices poses a significant risk.
Recently, we analyzed a power distribution unit (PDU), the Schneider Electric/APC AP7920B, in our lab and discovered a vulnerability in its web interface. We reported it through a responsible disclosure process and CISA and Schneider Electric released ICS-CERT advisory ICSA-21-348-02 and SEVD-2021-348-04 notification, respectively, publicly disclosing it. . This is the latest in a series of research findings from Nozomi Networks regarding OT and IoT security.
A PDU is a device used to monitor and distribute electrical power to equipment plugged into it. If a malicious actor gains privileged access to a PDU, they can close outlets and cause the equipment to restart, potentially compromising operational availability.
The Schneider Electric/APC PDU in question is a switched rack unit used in physical infrastructure such as power, transportation, and water/wastewater systems. The vulnerability we discovered applied when its management software was used with the latest versions of certain browsers available at the time of research. This means that approximately ten percent of all desktop browsers worldwide could have been successfully exploited to execute an attack.1
In this article, we describe PDUs, web security fundamentals, and the AP7920B vulnerability. This particular issue, along with other security vulnerabilities, could allow an attacker to elevate low-level application privileges to high-level ones, providing the necessary permissions and opportunity to shut down or damage connected equipment.