Eaton ePDU Path Traversal Vulnerability

Monitor5.3ICS-CERT ICSA-17-026-01Jan 26, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A path traversal vulnerability exists in legacy Eaton ePDUs (EAMAxx, EMAxxx, ESWAxx, EMAAxx, EAMxxx series) that allows an attacker with network access to read arbitrary files from the device filesystem. The vulnerability affects products that reached end-of-life between January 31, 2014 and June 30, 2015. No vendor patches are available.

What this means

What could happen

An attacker could read sensitive configuration files and credentials from the ePDU, potentially gaining access to control functions or obtaining information about the power distribution infrastructure protecting your facility.

Who's at risk

Power facility managers operating legacy Eaton ePDU devices for power distribution monitoring and control. This affects organizations still using Eaton ePDUs from the EAMAxx, EMAxxx, ESWAxx, EMAAxx, and EAMxxx product lines, particularly in water utilities, municipal electric systems, and industrial plants.

How it could be exploited

An attacker on the network sends a crafted HTTP request with path traversal sequences (e.g., "../../../") to the ePDU web interface to access files outside the intended directory. This allows reading of configuration files, firmware images, or authentication credentials stored on the device without authentication.

Prerequisites

Network access to the ePDU web interface (typically port 80 or 443)
The ePDU must be reachable from the attacker's network location
No authentication required

Remotely exploitableNo authentication requiredLow complexityNo patch available (end-of-life products)Affects critical infrastructure power monitoring

Exploitability

Moderate exploit probability (EPSS 1.7%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

EAMAxx: prior to January 31 2014< January 31 2014No fix (EOL)

EMAxxx: prior to January 31 2014< January 31 2014No fix (EOL)

ESWAxx: prior to January 31 2014< January 31 2014No fix (EOL)

EMAAxx: prior to January 31 2014< January 31 2014No fix (EOL)

EAMxxx: prior to June 30 2015< June 30 2015No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to ePDU management interfaces using firewall rules or network segmentation—only authorized management workstations should reach ports 80/443 on the ePDU

HARDENINGIf the ePDU is still in use, review and change default credentials and any credentials that may have been exposed

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: EAMAxx: prior to January 31 2014, EMAxxx: prior to January 31 2014, ESWAxx: prior to January 31 2014, EMAAxx: prior to January 31 2014, EAMxxx: prior to June 30 2015. Apply the following compensating controls:

HARDENINGMonitor ePDU access logs for suspicious HTTP requests containing path traversal patterns (../, etc.)

HARDENINGPlan replacement of end-of-life ePDU devices with supported models as part of regular equipment refresh

CVEs (1)

CVE-2016-9357

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/87ff26ac-f6a9-46d7-919d-30be0bc40d9a