Dive Brief:
- Cyber threat researchers at Team82 said on Tuesday they’ve identified data center vulnerabilities in widely deployed Trane Tracer SC+ HVAC controllers and Vertiv Liebert IS-UNITY-DP network cards.
- The vulnerabilities could allow unauthenticated attackers to disrupt HVAC and chiller operations and power management systems, potentially affecting thermal stability and leading to service degradation, outages or hardware damage, according to security company Claroty, whose Team82 looks for cyber risks to help companies stay ahead of bad actors.
- Both companies have been informed of the risks and have updates available to mitigate them, Claroty says.
Dive Insight:
A part of cybersecurity firm Claroty, Team82 conducts research to find threat vulnerabilities so they can be addressed upfront.
Two vulnerabilities that the team identified in Vertiv’s Liebert IS-UNITY-DP network cards were assessed a 9.8 out of 10 based on the Common Vulnerability Scoring System, or CVSSv3, a standard open framework used to rate the severity of security flaws.
The cards are used as a network interface for Vertiv’s uninterrupted power supply, or UPS, devices, which are used to keep critical equipment running in the event of a power outage. When grid energy goes down, the UPS switches to its internal battery, preventing sudden shutdowns and enabling data centers to keep servers, routers and control systems online and stable.
The vulnerabilities could give unauthorized actors an entrypoint for disrupting power operations, the Team82 report says. “Successful exploits could allow an attacker to not only access vulnerable devices, but also execute arbitrary code that could cause damaging disruptions to organizations reliant on these devices for uptime and service reliability,” it says.
In addition to preventing people from logging in to the web interface, the report says, “an attacker can do real damage by requesting an ‘output OFF’ in a managed UPS configuration, which in ‘UPS language’ means shut down any powered-by-UPS device. In the case of a data center, an entire facility could be impacted by this one vulnerability.”
To address the vulnerabilities, Vertiv recommends users implement Liebert RDU101 and IS-UNITY firmware updates, according to the report.
Attack vectors in cooling systems
Vulnerabilities identified in the Trane Tracer SC+ HVAC controller were included in a separate research report released Tuesday.
“These vulnerabilities could allow an unauthenticated remote attacker to gain complete control over a critical building management system,” the team said in its report. “In practice, this could give an attacker complete control over a … system from the outside.”
Multiple API routes that do not require authentication on the Tracer SC+ web server allowed unauthorized access to sensitive information, including information about the device and its nested devices, like those connected to it via BACnet or LonTalks, Team82 said. API routes are pathways that applications use to access a server.
“An attacker could use this information to map the internal building automation network, identify connected controllers and critical infrastructure, and interact directly with downstream devices,” the team said. “This could enable reconnaissance for further attacks, unauthorized manipulation of building systems, disruption of HVAC operations, or lateral movement into other connected operational technology environments.”
To address these issues, Trane recommends updating Tracer SC+ controllers to version v6.3 or later, the report says.
Trane and Vertiv did not respond to a request for comment before this story was published.
