CVE-2020-11956
📋 TL;DR
CVE-2020-11956 is a privilege escalation vulnerability in Rittal PDU and CMCIII devices that allows attackers to bypass intended access restrictions. This affects Rittal PDU-3C002DEC devices through firmware version 5.17.10 and CMCIII-PU-9333E0FB devices through firmware version 3.17.10. Attackers can gain elevated privileges on affected devices.
💻 Affected Systems
- Rittal PDU-3C002DEC
- Rittal CMCIII-PU-9333E0FB
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of affected devices allowing attackers to manipulate power distribution, disable monitoring, or use devices as footholds into connected networks.
Likely Case
Unauthorized access to device management functions, configuration changes, and potential disruption of power management operations.
If Mitigated
Limited impact if devices are isolated from untrusted networks and access controls are properly implemented.
🎯 Exploit Status
Exploitation requires some level of access but privilege escalation is straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PDU-3C002DEC: >5.17.10, CMCIII-PU-9333E0FB: >3.17.10
Vendor Advisory: https://www.rittal.com/com-en/content/en/cybersecurity/
Restart Required: Yes
Instructions:
1. Contact Rittal support for firmware updates. 2. Download appropriate firmware version. 3. Apply firmware update via device management interface. 4. Reboot device after update.
🔧 Temporary Workarounds
Network segmentation
allIsolate affected devices from untrusted networks and limit access to management interfaces.
Access control restrictions
allImplement strict access controls and limit user privileges to minimum required levels.
🧯 If You Can't Patch
- Segment devices on isolated network segments with strict firewall rules
- Implement network monitoring for unusual access patterns to device management interfaces
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or CLI. For PDU-3C002DEC: version ≤5.17.10. For CMCIII-PU-9333E0FB: version ≤3.17.10.Check Version:
Check via device web interface at System > Firmware or via SNMP query to device firmware OID.Verify Fix Applied:
Verify firmware version is updated beyond vulnerable versions: PDU-3C002DEC >5.17.10, CMCIII-PU-9333E0FB >3.17.10.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful privileged access
- Unusual user privilege changes
- Access from unexpected IP addresses to management interfaces
Network Indicators:
- Unusual traffic patterns to device management ports (typically 80/443)
- Multiple authentication attempts from single source
SIEM Query:
source_ip=* AND (dest_port=80 OR dest_port=443) AND (http_method=POST OR http_method=PUT) AND (url_path CONTAINS "/admin" OR url_path CONTAINS "/config") AND status_code=200