A cybersecurity researcher was threatened with legal action for describing vulnerabilities in Powertek PDUs after patches were released.
The vulnerabilities – two deemed critical and a “handful” of more minor issues – were found by a Polish researcher going by the name Gynvael Coldwind who currently works for Google.
Collectively dubbed ‘Screams of Power’ – due to the researcher’s enjoyment of naming bugs with the help of a metal band name generator – the critical issues are tracked as CVE-2022-33174 and CVE-2022-33175.
Both impact Powertek, a manufacturer of power distribution units (PDUs), key hardware for distributing and managing electrical supplies in data centers.
In March, the researcher reviewed Powertek firmware and discovered multiple issues in v3.30.23 and “possibly prior”. The CVE assignments say that firmware versions before 3.30.30 are affected.
The first vulnerability, CVE-2022-33174, has been issued a CVSS severity score of 9.8 and is described as an authorization bypass issue.
The second bug, CVE-2022-33175, is also subject to a CVSS score of 9.8. This issue is an authenticated session token leak.
Coordinated disclosure
According to the researcher, a vulnerability report was sent to Powertek on February 10, and this was confirmed to have been viewed six days later. Powertek then requested a ‘short’ grace period in May and confirmed that fixes were underway.
Emails were exchanged concerning patch distribution between the vendor and researcher, and in June, CVEs were requested.
The cybersecurity researcher’s blog post, describing the vulnerabilities, was then published.
So far, so good. However, Powertek then sent a tart email to Coldwind, asking why they were “trying to damage the brand”. Coldwind then asked what the vendor meant, leading to a legal threat:
We did not sell anything to you, you can not [sic] talk like you are doing, you will be contacted by our lawyer.
Crossed wires
In an update posted on June 13, the security researcher said that a subsequent phone call with Schneikel, the firm’s Swiss reseller, demonstrated a shift in attitude – and it may have been that the threat was down to a lack of understanding of the disclosure process, as well as fear.
“In general, it’s the same old story: reasonable people mishandling the first ever vulnerability disclosure due to not knowing the industry-accepted standard,” Coldwind commented. “They are interested in upping their security game, which is great.”
Dawid Czarnecki suggested that researchers disclosing vulnerabilities could consider adding a FAQ or guide to their email to take the heat out of their first encounter with such a situation.
“For non-security folks, [vulnerability disclosure] can be perceived as an attack on the company so they sometimes react like that,” Czarnecki noted. “But seeing that after discussions with you they show willingness to improve is very admirable despite the poor first contact.”
The Daily Swig has reached out to the researcher and Powertek and we will update when we hear back.
