CVE-2022-3184
published 2022-12-21CVE-2022-3184: Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the device’s existing firmware allows unauthenticated users to access an…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
11.63%
95.5th percentile
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the device’s existing firmware allows unauthenticated users to access an old PHP page vulnerable to directory traversal, which may allow a user to write a file to the webroot directory.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dataprobe | iboot-pdu4-n20_firmware | < 1.42.06162022 | 1.42.06162022 |
| dataprobe | iboot-pdu4a-n15_firmware | < 1.42.06162022 | 1.42.06162022 |
| dataprobe | iboot-pdu4a-n20_firmware | < 1.42.06162022 | 1.42.06162022 |
| dataprobe | iboot-pdu4sa-n15_firmware | < 1.42.06162022 | 1.42.06162022 |
| dataprobe | iboot-pdu4sa-n20_firmware | < 1.42.06162022 | 1.42.06162022 |
| dataprobe | iboot-pdu8a-2n15_firmware | < 1.42.06162022 | 1.42.06162022 |
| dataprobe | iboot-pdu8a-2n20_firmware | < 1.42.06162022 | 1.42.06162022 |
| dataprobe | iboot-pdu8a-n15_firmware | < 1.42.06162022 | 1.42.06162022 |
| dataprobe | iboot-pdu8a-n20_firmware | < 1.42.06162022 | 1.42.06162022 |
| dataprobe | iboot-pdu8sa-2n15_firmware | < 1.42.06162022 | 1.42.06162022 |
| dataprobe | iboot-pdu8sa-n15_firmware | < 1.42.06162022 | 1.42.06162022 |
| dataprobe | iboot-pdu8sa-n20_firmware | < 1.42.06162022 | 1.42.06162022 |
| dataprobe | iboot-pdu_fw | <= 1.42.06162022 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/php/git-update.php
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/php/git-update.php"; fast_pattern; http.request_body; content:"branch|3d 2e 2e 2f 2e 2e 2f 2e 2e 2f|"; content:"token|3d 26|"; reference:url,claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices; reference:cve,2022-3184; classtype:attempted-admin; sid:2038965; rev:2;)
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/php/git-update.php"; fast_pattern; http.request_body; content:"branch=|2e 2e 25 32 46 2e 2e 25 32 46 2e 2e 25 32 46|"; content:"token=|25 32 36|"; reference:url,claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices; reference:cve,2022-3184; classtype:attempted-admin; sid:2038966; rev:2;)
bytes
branch|3d 2e 2e 2f 2e 2e 2f 2e 2e 2f| (raw directory traversal: branch=../../..)
bytes
branch=|2e 2e 25 32 46 2e 2e 25 32 46 2e 2e 25 32 46| (URL-encoded directory traversal: branch=..%2F..%2F..%2F)
bytes
token|3d 26| (token=& — empty/null token parameter)
bytes
token=|25 32 36| (URL-encoded token=& — empty/null token parameter)
- →Exploit arrives as an HTTP POST request to the exact URI /php/git-update.php (URI byte-size is exactly 19); match on both raw and URL-encoded directory traversal variants in the request body.
- ·Vulnerable firmware versions are strictly those prior to 1.42.06162022; devices already patched to 1.42.06162022 or later are not affected. ↗
- ·The Snort rules are scoped to inbound traffic toward $HOME_NET only; ensure $HOME_NET correctly includes all iBoot-PDU management interfaces to avoid blind spots.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Dataprobe iBoot-PDU (Update A)
cisa_ics·2022-09-20·CVSS 9.8
[CRITICAL] Dataprobe iBoot-PDU (Update A)
ICS Advisory
##
Dataprobe iBoot-PDU (Update A)
Last RevisedMay 04, 2023
Alert CodeICSA-22-263-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Dataprobe
- Equipment: iBoot-PDU FW
- Vulnerabilities: OS Command Injection, Path Traversal, Exposure of Sensitive Information to an Unauthorized Actor, Improper Access Control, Improper Authorization, Incorrect Authorization, SSRF, Stack-Based Buffer Overflow, Use of Weak Credentials, Plaintext Storage of a Password, Authentication Bypass Using an Alternate Path or Channel
## 2. UPDATE OR REPOSTED INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-22-263-03 Dataprobe iBoot-PDU that was published September 20, 2022, on the IC
GHSA
GHSA-g722-qfq8-hp64: Dataprobe iBoot-PDU FW versions prior to 1
ghsa_unreviewed·2023-07-06
CVE-2022-3184 [CRITICAL] CWE-22 GHSA-g722-qfq8-hp64: Dataprobe iBoot-PDU FW versions prior to 1
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the device’s existing firmware allows unauthenticated users to access an old PHP page vulnerable to directory traversal, which may allow a user to write a file to the webroot directory.
Suricata
ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M1
suricata·2022-09-23·CVSS 9.8
CVE-2022-3184 [CRITICAL] ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M1
ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/php/git-update.php"; fast_pattern; http.request_body; content:"branch|3d 2e 2e 2f 2e 2e 2f 2e 2e 2f|"; content:"token|3d 26|"; reference:url,claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices; reference:cve,2022-3184; classtype:attempted-admin; sid:2038965; rev:2; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2022_09_23, cve CVE_2022_3184, deployment Perimeter, deployment Internal, deployment
Suricata
ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M2
suricata·2022-09-23·CVSS 9.8
CVE-2022-3184 [CRITICAL] ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M2
ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/php/git-update.php"; fast_pattern; http.request_body; content:"branch=|2e 2e 25 32 46 2e 2e 25 32 46 2e 2e 25 32 46|"; content:"token=|25 32 36|"; reference:url,claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices; reference:cve,2022-3184; classtype:attempted-admin; sid:2038966; rev:2; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2022_09_23, cve CVE_2022_3184, deployment Perimeter, deployment
No public exploits indexed.
No writeups or analysis indexed.
2022-12-21
Published