Businesses are looking to digital transformation and cloud services to support new working practices. This would be extremely simple for criminals to get into essential data center power management gear, turn off electricity to numerous linked devices, and interrupt all types of services from crucial infrastructure to commercial applications.
The Trellix Advanced Research Centre focused exclusively on the power supply and management systems used in data centers.
Researchers discovered four vulnerabilities in CyberPower’s PowerPanel Enterprise Data Centre Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe’s iBoot Power Distribution Unit (PDU).
“Both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connected data center devices and enterprise systems”, researchers explain.
Vulnerabilities in Cyberpower’s PowerPanel Enterprise
CyberPower is a well-known provider of infrastructure and equipment for data centers, specializing in power management and protection technologies.
Their PowerPanel Enterprise DCIM platform serves as a single point of information and command for all devices, enabling IT professionals to manage, configure, and monitor the infrastructure within a data center over the cloud.
Reports say companies moving on-premise server installations to bigger, co-located data centers, such as those from leading cloud providers AWS, Google Cloud, Microsoft Azure, etc., frequently employ these platforms.
Sunbird Software estimates that 83% of business data center operators have increased rack density in the previous three years. As a result, they are looking to technologies like DCIM platforms to assist manage their infrastructure, avoid outages, and preserve uptime.
Four significant flaws discovered in cyberpower’s PowerPanel Enterprise:
- CVE-2023-3264: Use of Hard-coded Credentials (CVSS 6.7)
- CVE-2023-3265: Improper Neutralization of Escape, Meta, or Control Sequences (Auth Bypass; CVSS 7.2)
- CVE-2023-3266: Improperly Implemented Security Check for Standard (Auth Bypass; CVSS 7.5)
- CVE-2023-3267: OS Command Injection (Authenticated RCE; CVSS 7.5)
Particularly, any of the first three CVEs could be used by criminals to bypass authentication checks, access the management interface, and shut down devices inside data centers.
“The manipulation of the power management can be used to damage the hardware devices themselves – making them far less effective if not inoperable”, researchers said.
Dataprobe’s iBoot PDU
Power management devices made by Dataprobe help companies manage and monitor their infrastructure. Through a straightforward and user-friendly online application, their iBoot PDU enables managers to remotely regulate the power supply to their devices and equipment.
Dataprobe has hundreds of devices deployed in a variety of sectors, including government organizations, financial institutions, smart city IoT installations, and travel and transportation infrastructure.
Reports stated that thousands of these PDUs are used for tasks like digital signage, telecommunications, remote site management, and much more. The iBoot PDU in particular has been in use since 2016.
Five critical vulnerabilities in the Data probe’s iBoot PDU:
In this case, even the simplest act of shutting power to devices linked to a PDU would be important with access to these power management systems.
“A threat actor could cause significant disruption for days at a time with the simple “flip of a switch” in dozens of compromised data centers”, researchers explain.
The infected machines might be used to launch massive ransomware, DDoS, or Wiper attacks that could be far more widespread than those launched by Stuxnet, Mirai BotNet, or WannaCry.
Patches Available
Version 2.6.9 of the PowerPanel Enterprise software from Dataprobe and version 1.44.08042023 of the Dataprobe iBoot PDU firmware from CyberPower both provide patches for these issues.
Hence, all possibly vulnerable customers are urged to download and apply these fixes right now.
Source: https://cybersecuritynews.com/power-management-devices-flaw/