The Trellix Advanced Research Center has conducted a targeted investigation into data center vulnerabilities, uncovering four vulnerabilities within CyberPower’s Data Center Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe’s iBoot Power Distribution Unit (PDU). If exploited sequentially, these vulnerabilities could provide unauthorized access to these systems, potentially leading to substantial harm. Furthermore, both products are susceptible to remote code injection, which could serve as a gateway for unauthorized entry into interconnected data center devices and enterprise networks.
CyberPower, a prominent provider of data center solutions specializing in power management systems, offers the DCIM platform to enable cloud-based management, configuration, and monitoring of data center infrastructure. This platform is widely used by various organizations, ranging from on-premise server setups to large-scale co-located data centers operated by major cloud service providers like AWS, Google Cloud, and Microsoft Azure.
Dataprobe, known for its power management products, manufactures the iBoot PDU, allowing remote administration of device power supply via a user-friendly web application. The iBoot PDU has diverse applications across industries, including data centers, transportation, finance, smart city IoT setups, and government sectors.
The Trellix team’s findings include four major vulnerabilities within CyberPower’s DCIM and five critical vulnerabilities in Dataprobe’s iBoot PDU:
CyberPower DCIM:
– CVE-2023-3264: Hard-coded Credentials Usage (CVSS 6.7)
– CVE-2023-3265: Inadequate Handling of Escape Sequences (Authentication Bypass; CVSS 7.2)
– CVE-2023-3266: Insufficient Security Check for Standard Processes (Authentication Bypass; CVSS 7.5)
– CVE-2023-3267: Operating System Command Injection (Authenticated Remote Code Execution; CVSS 7.5)
Dataprobe iBoot PDU:
– CVE-2023-3259: Untrusted Data Deserialization (Authentication Bypass; CVSS 9.8)
– CVE-2023-3260: Operating System Command Injection (Authenticated Remote Code Execution; CVSS 7.2)
– CVE-2023-3261: Buffer Overflow (Denial of Service; CVSS 7.5)
– CVE-2023-3262: Hard-coded Credentials Usage (CVSS 6.7)
– CVE-2023-3263: Alternate Name Authentication Bypass (Authentication Bypass; CVSS 7.5)
John Fokker, Head of Threat Intelligence at Trellix Advanced Research Center, emphasized the significance of these vulnerabilities in a world heavily reliant on data. He stated that such vulnerabilities could enable cybercriminals to compromise data center systems, potentially leading to large-scale data theft or global-scale attacks, thereby posing significant threats to both individuals and businesses.
The potential impact of exploiting these vulnerabilities spans various scenarios:
– Power Disruption: Exploiting power management systems to cut power to connected devices could result in widespread disruptions, affecting websites, business applications, consumer technologies, and critical infrastructures.
– Large-Scale Malware Attacks: Creating backdoors through these platforms could offer attackers access to numerous systems, making it possible to compromise both data centers and connected business networks over time.
– Cyberespionage: Advanced Persistent Threats (APTs) and nation-state actors could exploit these vulnerabilities for cyberespionage operations.
To mitigate these risks, both CyberPower and Dataprobe have released fixes for the vulnerabilities. Trellix strongly recommends impacted customers to promptly install these patches. Additionally, the following steps are advised for potentially exposed devices or platforms:
– Restrict internet exposure of PowerPanel Enterprise or iBoot PDU to your organization’s secure intranet.
– Consider disabling remote access for iBoot PDU via Dataprobe’s cloud service.
– Update user account passwords and remove sensitive data from compromised appliances.
– Update to the latest PowerPanel Enterprise version or iBoot PDU firmware, and subscribe to vendor security updates.
Trellix commended the responsiveness of CyberPower and Dataprobe in promptly addressing these vulnerabilities, highlighting their commitment to improving security standards within the industry.