TFTP Vulnerabilities for Rack UPS and PDUs

Hello and welcome back! In this week’s blog, we look at a very critical security flaw that exists in many SNMP Cards.  Specifically, we address TFTP Vulnerabilities for Rack UPS and PDUs.

TFTP Vulnerabilities Rack UPS PDU

To begin with, let’s talk about what FTP and its cousin, TFTP is, and why TFTP poses a great security risk to any card with that protocol enabled. FTP stands for File Transfer Protocol, it is a standard means of use by an SNMP Ccommunications card to upgrade its firmware. FTP normally has a basic layer of 1 security password that, while it represents a fairly easy possess to sniff and capture, offers at least some form of security. Unlike FTP, TFTP – or Trivial File Transfer Protocol – has absolutely no login or password options and, hence, anyone with access to the TFTP port on a communications card can gain access to that unit. Here is an excellent overview of TFTP put together by the computer department at the University of Maryland.

This good article from the University of Maryland notes that the only form of security TFTP is to use a setup parameter to limit the origin or type of files that it accepts. Unfortunately, this is of very little help against a hacker of even medium skill level. What makes TFTP so dangerous is that it is normally used for the purpose of upgrading firmware of a communications card. That means that a skilled hacker can download their own code onto your communications card and that card can become a stealth backdoor for surveying and stealing information from your network.

To gauge how easily this could be done, we hired a college intern and gave him the task to create his own version of firmware that would lockout the existing users from a brand-name Uninterruptible Power Supply and give him sole control of that unit. The SNMP card of this unit had TFTP fully functioning and he used that as the key part of his strategy. Here is his quick summary of what he did.

I created a configuration file with new passwords known only to me which gave me authority over all aspects of control of the UPS

Once the configuration file was prepared, it was then added to the home directory of the assigned TFTP server.

The configuration file was then confirmed to have been successfully downloaded using the mfiletransferControlInitiateFileTransfer.

The device then restarted with the new settings applied and at that point, only I was able to communicate and control the UPS. All other users were locked out.

All-in-all, this college intern was able to complete this entire task in just a few hours, without having any knowledge of SNMP cards or similar systems. After studying this, we then saw that there are two very damaging things that a hacker can do to a UPS, a Power Distribution Unit (PDU) or a Computer Room Air Handler/Air Conditioner. These are as follows:

Place a backdoor to feed data to a hacker about all data center equipment, their operating conditions, maintenance, etc.

Place a backdoor to use in gathering and stealing data from servers on the same or adjacent network

I can say that we are aware of specific instances when one of these two items has been done through a UPS SNMP card in a mission critical data facility. Because of this, we have little doubt that this is a tool used by hackers – including nation states and rogue foreign companies – to gain valuable insights on the operations and secrets of various companies and organizations. Because of these facts, we urge the readers of this blog to check and see if you have TFTP enabled on ANY of the communications cards in your data centers, server rooms, network closets or telecom rooms. Please remember that a hacker only needs to enter ONE unit to ultimately have the tools he needs to spy and steal from your organization.

TFTP Vulnerabilities for Rack UPS and PDUs are a widespread problem. A quick survey of major UPS and PDU manufacturers show that ALL of them use TFTP on at least some of their cards. If you have TFTP on any of your communications cards, we would recommend that you place either a RackGuardian (for rack based PDU, UPS and cooling systems) in front of these units to securely monitor them and to firewall the bad guys from every gaining access. If one of your cards has already been compromised, CyberGuardian and RackGuardian are the only two units on the market that will not only keep the bad guys from getting into your systems but, they also keep any malware that has already been implanted from communicating outbound.

Please think about these things this week and, if you would like to have a confidential conversation about protecting your critical power and cooling systems, please feel free to give us a call.

Until Next Time,

Be Well!