- Ten bugs were found in E2 and E3 Copeland controllers
- Copeland released a fix with a firmware update
- When combined, the flaws can lead to remote code execution
Two Copeland controllers, electronic control systems used in refrigerators and HVAC applications, were carrying almost a dozen vulnerabilities that could have been exploited for privilege escalation and remote code execution (RCE), putting thousands of companies at all sorts of risks.
E2 and E3 Copeland controllers are designed to manage temperature, energy use, and system performance. They’re commonly found in supermarkets, convenience stores, and foodservice operations and apparently, they are quite popular in the United States.
Recently, security researchers from the operational technology security firm Armis found a total of 10 vulnerabilities, and collectively named them Frostbyte10. They reported their findings to Copeland, which issued a firmware update to address the flaws and mitigate potential risks.
According to The Register, Copeland has a presence in more than 40 countries, with giants such as Kroger, Albertsons, and Whole Foods, being among its customers. It reported $4.75 billion in revenue in 2024.
Firmware update
Of the two controllers, E2 reached end-of-life in October, the publication added, but Copeland still issued a firmware update. Users are advised to upgrade to the newest model – E3 – and to make sure they’re running firmware version 2.31F01, at least.
The US Cybersecurity and Infrastructure Security Agency (CISA) is expected to issue an advisory about these flaws as well, but it wasn’t published by press time. Still, CISA said combining the problems “can result in unauthenticated remote code execution with root privileges,” The Register noted.
So far, Armis seems to be the first one to discover the flaws, as there is no evidence that any of them had been abused in the wild before. However, if businesses don’t patch their devices up, they will remain vulnerable to widely known, publicized flaws. Many threat actors intentionally wait for someone else to discover the flaws, betting that most firms don’t apply the fixes on time.
Via The Register
You might also like
https://cdn.mos.cms.futurecdn.net/MdEXKvFQhfY7UE8zEoUBbi.jpg
Source link
