CVE-2022-41644 - Vulnerability in Delta Electronics InfraSuite Device Master Allows Attackers to Escalate Privileges or Create Denial-of-Service State

A recent vulnerability, CVE-2022-41644, was discovered in the widely used Delta Electronics InfraSuite Device Master (versions 00.00.01a and prior), a popular tool for managing infrastructure equipment in data centers and other industrial environments. This security flaw has potentially severe consequences, as it could allow attackers to escalate their privileges on affected systems or create a denial-of-service (DoS) state, leading to disruptions in critical system operations.

Original References

[1] CVE-2022-41644 - National Vulnerability Database (NVD)
Link: <https://nvd.nist.gov/vuln/detail/CVE-2022-41644>

[2] Delta Electronics InfraSuite Device Master - Official Product Page
Link: <https://www.deltapowersolutions.com/en/mcis/infrasuite-device-master.php>

Details

CVE-2022-41644 is caused by a lack of proper authentication mechanisms while accessing certain sensitive functions. In particular, this vulnerability lies in the server-side function responsible for managing group privileges in the InfraSuite Device Master. The specific affected function does not validate user privileges, meaning that an attacker could potentially call this function without the necessary administrative permissions.

return HttpResponse("Group privileges updated")

As seen in the code example, the 'change_group_privileges' function takes user input for 'group_id' and 'new_privileges' (lines 2-3) and directly updates the privileges for a given group (line 4). However, there is no authentication or authorization check in place to ensure that the user making this request has the necessary permissions.

Exploit Details

An attacker can exploit this security flaw by sending a specially crafted HTTP request to call the 'change_group_privileges' function without valid credentials:

Method: 'POST'
URL: 'http://path/to/vulnerable/resource'

POST Data

{

"new_privileges": "escalated_privileges"

}

The attacker can potentially abuse this vulnerability to change group privileges, which may lead to two possible attack scenarios:

1. Escalating their own privileges - The attacker can increase their access level within InfraSuite Device Master, granting them unauthorized access to sensitive information, capabilities, and system controls.

2. Creating a Denial-of-Service state - The attacker could reduce or remove privileges for legitimate users or groups, making it impossible for them to perform their required tasks and causing disruptions in system operations.

Remediation

As of now, there are no available patches or updates to fully mitigate this vulnerability. Delta Electronics is encouraged to address this issue immediately by implementing proper authentication mechanisms for such sensitive functions.

In the meantime, users leveraging Delta Electronics InfraSuite Device Master are advised to monitor their systems closely and ensure they have proper security measures in place to help detect any unauthorized privilege access.

Timeline

Published on: 10/31/2022 20:15:00 UTC
Last modified on: 11/02/2022 13:00:00 UTC