Trellix Advanced Research Center uncovers vulnerabilities in data center infrastructure

As part of a focused effort on vulnerability discovery in data centers, the Trellix Advanced Research Center has found four vulnerabilities in CyberPower’s Data Center Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe’s iBoot Power Distribution Unit (PDU). An attacker could chain these vulnerabilities together to gain full access to these systems — which alone could be leveraged to commit substantial damage. Furthermore, both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connected data center devices and enterprise systems.

CyberPower is a vendor of data center equipment and infrastructure solutions, specialising in power protection technologies and power management systems. Their DCIM platform allows IT teams to manage, configure, and monitor the infrastructure within a data center through the cloud, serving as a single source of information and control for all devices. These platforms are commonly used by companies managing on-premise server deployments to larger, co-located data centers — like those from major cloud providers AWS, Google Cloud, Microsoft Azure, etc.

Dataprobe manufactures power management products that assist businesses in monitoring and controlling their infrastructure. Their iBoot PDU allows administrators to remotely manage the power supply to their devices and equipment via a simple and easy-to-use web application. Dataprobe has thousands of devices across numerous industries — from deployments in data centers, travel and transportation infrastructure, financial institutions, smart city IoT installations, and government agencies.

The team found four major vulnerabilities in CyberPower’s DCIM and five critical vulnerabilities in the Dataprobe’s iBoot PDU:

• CyberPower DCIM:
  • CVE-2023-3264: Use of Hard-coded Credentials (CVSS 6.7)
  • CVE-2023-3265: Improper Neutralisation of Escape, Meta, or Control Sequences (Auth Bypass; CVSS 7.2)
  • CVE-2023-3266: Improperly Implemented Security Check for Standard (Auth Bypass; CVSS 7.5)
  • CVE-2023-3267: OS Command Injection (Authenticated RCE; CVSS 7.5)

• Dataprobe iBoot PDU:
  • CVE-2023-3259: Deserialisation of Untrusted Data (Auth Bypass; CVSS 9.8)
  • CVE-2023-3260: OS Command Injection (Authenticated RCE; CVSS 7.2)
  • CVE-2023-3261: Buffer Overflow (DOS; CVSS 7.5)
  • CVE-2023-3262: Use of Hard-coded Credentials (CVSS 6.7)
  • CVE-2023-3263: Authentication Bypass by Alternate Name (Auth Bypass; CVSS 7.5)

“In a world growing ever-reliant on massive amounts of data for business operations, critical infrastructure, and basic internet activities, major vulnerabilities in the data centers making all this possible is a large risk to daily society. Vulnerabilities that enable cybercriminals to slowly infect entire data center deployments to steal key data and information or utilise compromised resources to initiate attacks at a global scale could be leveraged for massive damage. The threats and risks to both consumers and enterprises is high,” commented Sam Quinn, Senior Security Researcher and Jesse Chick, Vulnerability Researcher at the Trellix Advanced Research Center.

Below are some examples of the level of damage a malicious threat actor could do when utilising exploits of this level across numerous data centers:

• Power Off: Through access to these power management systems, even the simple act of cutting power to devices connected to a PDU would be significant. Websites, business applications, consumer technologies, and critical infrastructure deployments all rely on the availability of these data centers to operate. A threat actor could cause significant disruption for days at a time with the simple “flip of a switch” in dozens of compromised data centers.
• Malware at Scale: Using these platforms to create a backdoor on the data center equipment provides bad actors a foothold to compromise a huge number of systems and devices. Some data centers host thousands of servers and connect to hundreds of various business applications. Malicious attackers could slowly compromise both the data center and the business networks connected to it.
• Digital Espionage: In addition to the previously mentioned malicious activities one would expect of cybercriminals, APTs and nation-state backed threat actors could leverage these exploits to conduct cyberespionage attacks.

Recommendation 

Both Dataprobe and CyberPower have released fixes for these vulnerabilities with CyberPower DCIM version 2.6.9 of their PowerPanel Enterprise software and the latest 1.44.08042023 version of the Dataprobe iBoot PDU firmware. Trellix strongly urges all potentially impacted customers to download and install these patches immediately.

In addition to the official patches, Trellix would suggest taking additional steps for any devices or platforms potentially exposed to 0-day exploitation by these vulnerable products:

• Ensure that your PowerPanel Enterprise or iBoot PDU are not exposed to the wider Internet. Each should be reachable only from within your organisation’s secure intranet.
  • In the case of the iBoot PDU, Trellix suggests disabling remote access via Dataprobe’s cloud service as an added precaution.
• Modify the passwords associated with all user accounts and revoke any sensitive information stored on both appliances that may have been leaked.
• Update to the latest version of PowerPanel Enterprise or install the latest firmware for the iBoot PDU and subscribe to the relevant vendor’s security update notifications.
  • Although this measure in and of itself will not reduce risk of attack via the vulnerabilities described in this document, updating all your software to the latest and greatest version promptly is the best practice for ensuring your window of exposure is as short as possible in this and future cases.

“The devices and software platforms that service data centers must remain secure and updated, and the vendors producing this hardware and software have processes in place for quick and efficient response following vulnerability disclosures,” added Quinn and Chick. “We applaud both CyberPower and Dataprobe for their willingness and expediency in working with our team following the discovery of these vulnerabilities. Their responsiveness in creating protections for these vulnerabilities and releasing a patch for their customers shows true organisational maturity and drive to improve security across the entire industry.”