来源

关联漏洞

描述

Schneider Electric PowerChute Serial Shutdown vulnerability.

介绍

# CVE-2024-10511

##### CWE-287: Improper Authentication

### Summary

Schneider Electric PowerChute Serial Shutdown product is a UPS management software enabling graceful system shutdown
and energy management capabilities for desktop, servers and workstations

PowerChute Serial Shutdown **v1.2.0.301 and prior** contains a mechanism to “lock out” for 2 minutes after three unsuccessful login attempts to prevent brute force password cracking. PowerChute allows only one account to be created and one login session active at a time.

An unauthenticated attacker can repeatedly perform HTTP GET request to the exposed URL that ends with */accessdenied* (which increments the number of login attempts), causing constant account lock out, therefore preventing legitimate user from logging in.


### Remediation

PowerChute Serial Shutdown version 1.3 includes a fix for this vulnerability and is available for download here:

[https://www.apc.com/us/en/product-range/137943580-powerchute-serial-shutdown/#software-and-firmware](https://www.apc.com/us/en/product-range/137943580-powerchute-serial-shutdown/#software-and-firmware)

### References

[https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-345-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-345-01.pdf](https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-345-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-345-01.pdf) 

[https://www.se.com/us/en/download/document/SEVD-2024-345-01/](https://www.se.com/us/en/download/document/SEVD-2024-345-01/)

### Timeline

28-05-2024 - Vulnerability reported to the vendor.\
21-11-2024 - Vendor issued a patch.\
10-12-2024 - Coordinated public release of Security Notification (SEVD).

文件快照

 [4.0K]  /data/pocs/663a146c8cf3d6c11389139e49c97cc97439bc4d
└── [1.7K]  README.md

0 directories, 1 file

备注