CVE-2021-23278
📋 TL;DR
This vulnerability allows authenticated attackers to delete arbitrary files on systems running vulnerable versions of Eaton Intelligent Power Manager (IPM). Attackers can exploit improper input validation in specific server components to send crafted packets that delete files. Organizations using IPM versions prior to 1.69 are affected.
💻 Affected Systems
- Eaton Intelligent Power Manager (IPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to service disruption, data loss, or system instability.
Likely Case
Targeted deletion of configuration files, logs, or firmware images causing service disruption and operational impact.
If Mitigated
Limited impact if proper authentication controls and file system permissions restrict attacker capabilities.
🎯 Exploit Status
Exploitation requires authenticated access but uses simple crafted packets targeting specific endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.69
Restart Required: Yes
Instructions:
1. Download IPM version 1.69 from Eaton's official portal. 2. Backup current configuration. 3. Run the installer to upgrade. 4. Restart the IPM service. 5. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict Network Access
allLimit access to IPM management interface to trusted networks only.
Implement Strong Authentication
allEnforce strong password policies and consider multi-factor authentication for IPM access.
🧯 If You Can't Patch
- Implement strict access controls to limit which users can authenticate to IPM
- Monitor file deletion events and implement file integrity monitoring on critical IPM directories
🔍 How to Verify
Check if Vulnerable:
Check IPM version in the web interface under Help > About or examine the installed version in the program files directory.Check Version:
On Windows: Check 'Program Files\Eaton\Intelligent Power Manager' directory version. On Linux: Check installation directory or use 'rpm -qa | grep ipm' or 'dpkg -l | grep ipm'.Verify Fix Applied:
Verify the version number shows 1.69 or higher in the IPM interface and test that the removeBackground and removeFirmware actions properly validate input.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in IPM logs
- Multiple failed authentication attempts followed by successful login and file operations
Network Indicators:
- HTTP POST requests to /server/maps_srv.js with action=removeBackground
- HTTP POST requests to /server/node_upgrade_srv.js with action=removeFirmware
SIEM Query:
source="ipm_logs" AND (action="removeBackground" OR action="removeFirmware") AND status="success"🔗 References
- https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf
- https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf
