CVE-2022-3372
📋 TL;DR
CVE-2022-3372 is a CSRF vulnerability in Netman-204 version 02.05 that allows attackers to change administrator passwords without proper CSRF token validation. This enables remote attackers to access the administrator panel and modify critical industrial operation parameters. Organizations using Riello UPS Netman-204 version 02.05 are affected.
💻 Affected Systems
- Riello UPS Netman-204
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial UPS management system allowing attacker to modify critical parameters, potentially causing power disruptions or equipment damage in industrial environments.
Likely Case
Unauthorized access to administrator panel leading to configuration changes, monitoring disruption, or denial of service through password lockout.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external CSRF attacks.
🎯 Exploit Status
Exploitation requires tricking authenticated administrator to visit malicious page but doesn't require special tools or deep technical knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 02.06 or later
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/cross-site-request-forgery-csrf-riello-ups-netman-204
Restart Required: Yes
Instructions:
1. Download latest firmware from Riello website. 2. Backup current configuration. 3. Upload and install firmware update. 4. Restart device. 5. Restore configuration if needed.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Netman-204 management interface from untrusted networks and internet.
Access Control Lists
allImplement strict firewall rules limiting access to management interface to authorized IPs only.
🧯 If You Can't Patch
- Implement network segmentation to isolate device from untrusted networks
- Use browser extensions that block CSRF attacks and enforce same-origin policies
🔍 How to Verify
Check if Vulnerable:
Check device web interface for version number in system information page. If version is 02.05, device is vulnerable.Check Version:
Access web interface at http://[device-ip]/ and navigate to System Information page.Verify Fix Applied:
After update, verify version shows 02.06 or later in system information. Test password change functionality with invalid CSRF token to confirm rejection.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful password change
- Administrator password change events from unusual IP addresses
Network Indicators:
- HTTP POST requests to password change endpoint without proper referrer headers
- CSRF attack patterns in web traffic
SIEM Query:
source="netman-204" AND (event_type="password_change" OR url_path="/admin/password_change")