CVE-2018-12922 in Control
Summary
by MITRE
Emerson Liebert IntelliSlot Web Card devices allow remote attackers to reconfigure access control via the config/configUser.htm or config/configTelnet.htm URI.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/23/2020
The vulnerability identified as CVE-2018-12922 affects Emerson Liebert IntelliSlot Web Card devices, which are networked power distribution units designed for monitoring and controlling electrical power in data centers and critical infrastructure environments. These devices typically provide web-based management interfaces that allow administrators to configure various system parameters including user access controls and remote access services. The flaw resides in the device's web interface implementation where insufficient input validation and authorization checks exist for specific configuration endpoints.
The technical exploitation of this vulnerability occurs through unauthenticated access to two specific URI paths: config/configUser.htm and config/configTelnet.htm. These endpoints control critical access control settings and telnet configuration parameters respectively. Attackers can remotely manipulate these configuration files without requiring valid credentials or authentication, effectively allowing them to modify user permissions and enable or disable remote access services. This represents a fundamental breakdown in the device's security model where administrative functions are exposed to unauthenticated users.
The operational impact of this vulnerability is significant for organizations relying on these devices for power management in critical environments. An attacker who successfully exploits this vulnerability can gain unauthorized access to the device's administrative functions, potentially leading to complete compromise of the power distribution infrastructure. The ability to reconfigure access controls means attackers could create new administrative accounts, modify existing user permissions, or disable security features. Additionally, the telnet configuration manipulation capability could enable persistent remote access to the device, allowing attackers to maintain control over the power distribution system even after initial compromise.
This vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic example of insufficient authorization checks in web applications. The flaw demonstrates poor security implementation where administrative functions are not properly protected from unauthorized access. From an attack perspective, this vulnerability maps to several ATT&CK techniques including T1078 (Valid Accounts) and T1021.004 (SSH) when attackers leverage the ability to modify remote access configurations. The vulnerability also relates to T1566 (Phishing) and T1190 (Exploit Public-Facing Application) as it represents an exploitable entry point in publicly accessible network devices.
Organizations should immediately implement network segmentation to isolate these devices from general network access and ensure they are only accessible from trusted administrative networks. Device firmware updates from Emerson should be applied promptly to address the authentication bypass vulnerability. Network monitoring should be enhanced to detect unusual access patterns to these specific URI paths, and access controls should be reviewed to ensure only authorized personnel can access the device management interfaces. Regular security audits of networked devices should include verification of proper access control implementations to prevent similar vulnerabilities from being introduced in future deployments.