OTPulse
FeedAboutContact

Tec4Data SmartCooler

Plan Patch7.5ICS-CERT ICSA-18-263-01Sep 20, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Tec4Data SmartCooler devices allow shutdown (denial of service) due to missing authentication on a critical function. An attacker with network access can trigger device shutdown without credentials. Fixed in firmware version 180806.

What this means
What could happen
An attacker can remotely shut down SmartCooler units without valid credentials, causing loss of cooling functionality and potential process disruption or equipment damage if thermal management is critical to your operations.
Who's at risk
Any facility operating Tec4Data SmartCooler units for thermal management, including data centers, process cooling in water treatment or power plants, HVAC systems for industrial buildings, and any application where cooling loss could impact operations or safety. All SmartCooler firmware versions before 180806 are vulnerable.
How it could be exploited
An attacker on the network sends an unauthenticated shutdown command to the SmartCooler device. The device accepts the command because the critical shutdown function does not verify user credentials, and the device stops cooling immediately.
Prerequisites
  • Network access to the SmartCooler device (port/service unknown from advisory)
  • No credentials required
Remotely exploitableNo authentication requiredLow complexityAffects availability of cooling systems
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
SmartCooler: all< 180806180806
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRestrict network access to SmartCooler devices using firewall rules; do not expose them to the Internet or untrusted networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SmartCooler firmware to version 180806 or later
Long-term hardening
0/2
HARDENINGIsolate SmartCooler devices from the business network using network segmentation; place them behind a firewall on a dedicated control system network
HARDENINGIf remote access to SmartCooler is required, require a VPN with current security updates
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/41d443ba-9f2b-40c0-a77d-edd47d4cc82a
Tec4Data SmartCooler | CVSS 7.5 - OTPulse