Major vulnerabilities discovered in data center solutions
Researchers have discovered serious security vulnerabilities in two widely used data center solutions: CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe’s iBoot Power Distribution Unit (PDU).
“An attacker could chain these vulnerabilities together to gain full access to these systems – which alone could be leveraged to commit substantial damage. Furthermore, both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connected data center devices and enterprise systems,” Trellix researchers noted.
About the vulnerabilities
The vulnerabilities found in CyberPower’s PowerPanel Enterprise DCIM include three authentication bypass flaws (CVE-2023-3264, CVE-2023-3265, CVE-2023-3266) and an OS command injection bug that could lead to authenticated RCE (CVE-2023-3267).
The vulnerabilities in Dataprobe iBoot PDU could be exploited to bypass authentication (CVE-2023-3259, CVE-2023-3263), to achieve authenticated RCE via OS command injection (CVE-2023-3260), trigger DOS (CVE-2023-3261), and to tamper with the internal Postgres database (CVE-2023-3262).
Additional details have been disclosed by the researchers at this year’s DEF CON.
The impact
By leveraging these vulnerabilities, threat actors can compromise data centers in numerous ways and with different goals in mind. They could:
- Cut power to devices connected to a PDU which could cause disruption and damage the hardware devices themselves
- Create a backdoor within the data center, enabling them to inject malware for the purpose of conducting ransomware, DDoS, or wiper attacks
- Exploit these bugs for cyberespionage objectives
“A vulnerability on a single data center management platform or device can quickly lead to a complete compromise of the internal network and give threat actors a foothold to attack any connected cloud infrastructure further,” the researchers said.
“We are fortunate enough to have caught these vulnerabilities early – without having discovered any malicious uses in the wild of these exploits.”
Both CyberPower and Dataprobe have released fixes to these vulnerabilities. Customers are urged to update to version 2.6.9 of the PowerPanel Enterprise software and the latest 1.44.08042023 version of the Dataprobe iBoot PDU firmware.
Trellix researchers also advise customers to avoid exposing those platforms or devices to the wider internet, change all user accounts’ passwords and revoke possibly leaked sensitive data held on those devices, and to subscribe to notifications about vendor’s security updates.