Cyber Security

Security researcher receives legal threat over patched Powertek data center vulnerabilities

A cybersecurity researcher was threatened with legal action for describing vulnerabilities in Powertek PDUs after patches were released.

The vulnerabilities – two deemed critical and a “handful” of more minor issues – were found by a Polish researcher going by the name Gynvael Coldwind who currently works for Google.

Collectively dubbed ‘Screams of Power’ – due to the researcher’s enjoyment of naming bugs with the help of a metal band name generator – the critical issues are tracked as CVE-2022-33174 and CVE-2022-33175.

Both impact Powertek, a manufacturer of power distribution units (PDUs), key hardware for distributing and managing electrical supplies in data centers.

In March, the researcher reviewed Powertek firmware and discovered multiple issues in v3.30.23 and “possibly prior”. The CVE assignments say that firmware versions before 3.30.30 are affected.

The first vulnerability, CVE-2022-33174, has been issued a CVSS severity score of 9.8 and is described as an authorization bypass issue.

The second bug, CVE-2022-33175, is also subject to a CVSS score of 9.8. This issue is an authenticated session token leak.

Coordinated disclosure

According to the researcher, a vulnerability report was sent to Powertek on February 10, and this was confirmed to have been viewed six days later. Powertek then requested a ‘short’ grace period in May and confirmed that fixes were underway.

Emails were exchanged concerning patch distribution between the vendor and researcher, and in June, CVEs were requested.

The cybersecurity researcher’s blog post, describing the vulnerabilities, was then published.

So far, so good. However, Powertek then sent a tart email to Coldwind, asking why they were “trying to damage the brand”. Coldwind then asked what the vendor meant, leading to a legal threat:

We did not sell anything to you, you can not [sic] talk like you are doing, you will be contacted by our lawyer.

Crossed wires

In an update posted on June 13, the security researcher said that a subsequent phone call with Schneikel, the firm’s Swiss reseller, demonstrated a shift in attitude – and it may have been that the threat was down to a lack of understanding of the disclosure process, as well as fear.

“In general, it’s the same old story: reasonable people mishandling the first ever vulnerability disclosure due to not knowing the industry-accepted standard,” Coldwind commented. “They are interested in upping their security game, which is great.”

Dawid Czarnecki suggested that researchers disclosing vulnerabilities could consider adding a FAQ or guide to their email to take the heat out of their first encounter with such a situation.

Advertisement. Scroll to continue reading.

“For non-security folks, [vulnerability disclosure] can be perceived as an attack on the company so they sometimes react like that,” Czarnecki noted. “But seeing that after discussions with you they show willingness to improve is very admirable despite the poor first contact.”

The Daily Swig has reached out to the researcher and Powertek and we will update when we hear back.

Source: https://portswigger.net/daily-swig/security-researcher-receives-legal-threat-over-patched-powertek-data-center-vulnerabilities

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version