Multiple security vulnerabilities impacting CyberPower's PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe's iBoot Power Distribution Unit (PDU) could be potentially exploited to gain unauthenticated access to these systems and inflict catastrophic damage in target environments.
The nine vulnerabilities, from CVE-2023-3259 through CVE-2023-3267, carry severity scores ranging from 6.7 to 9.8, enabling threat actors to shut down entire data centers and compromise data center deployments to steal data or launch massive attacks at a massive scale.
"An attacker could chain these vulnerabilities together to gain full access to these systems," Trellix security researchers Sam Quinn, Jesse Chick, and Philippe Laulheret said in a report shared with The Hacker News.
"Furthermore, both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connected data center devices and enterprise systems."
The findings were presented at the DEF CON security conference today. There is no evidence that these shortcomings were abused in the wild. The list of flaws, which have been addressed in version 2.6.9 of PowerPanel Enterprise software and version 1.44.08042023 of the Dataprobe iBoot PDU firmware, is below -
Dataprobe iBoot PDU -
- CVE-2023-3259 (CVSS score: 9.8) - Deserialization of untrusted data, leading to authentication bypass
- CVE-2023-3260 (CVSS score: 7.2) - OS command injection, leading to authenticated remote code execution
- CVE-2023-3261 (CVSS score: 7.5) - Buffer overflow, leading to denial-of-service (DoS)
- CVE-2023-3262 (CVSS score: 6.7) - Use of hard-coded credentials
- CVE-2023-3263 (CVSS score: 7.5) - Authentication bypass by alternate name
CyberPower PowerPanel Enterprise -
- CVE-2023-3264 (CVSS score: 6.7) - Use of hard-coded credentials
- CVE-2023-3265 (CVSS score: 7.2) - Improper neutralization of escape, meta, or control sequences, leading to authentication bypass
- CVE-2023-3266 (CVSS score: 7.5) - Improperly Implemented Security Check for Standard, leading to authentication bypass
- CVE-2023-3267 (CVSS score: 7.5) - OS command injection, leading to authenticated remote code execution
"Enterprise solutions often found in data centers commonly host their software or firmware to the public for download," Quinn told The Hacker News. "This availability allows for researchers like us as well as potential malicious actors to audit these systems in a very low stakes environment."
Successful exploitation of the aforementioned flaws could impact critical infrastructure deployments that rely on data centers, resulting in shutdowns with a "flip of a switch," conduct widespread ransomware, DDoS or wiper attacks, or conduct cyber espionage.
"Several of the vulnerabilities are not particularly sophisticated and do not require hacking tools to exploit them and gain initial access onto the platforms," Quinn said. "For an experienced threat actor group, it would be quite easy for them to chain these vulnerabilities together to gain full access to these systems."
"As more and more businesses seek to expand their on-premises deployments or turn to a more affordable and scalable cloud infrastructure from Amazon, Microsoft, Google, and others, this has created a growing attack vector for threat actors."
"A vulnerability on a single data center management platform or device can quickly lead to a complete compromise of the internal network and give threat actors a foothold to attack any connected cloud infrastructure further," the researchers said.
Trellix further said the impact of in-the-wild exploitation of vulnerabilities typically depends on where the devices sit within an organization's network and infrastructure.
"If vulnerable devices are reachable from the wider internet, gaining highly privileged and destructive access is fairly trivial," Quinn explained. "This puts that company at elevated risk of a remote cyber attack."
"But if the device is only reachable from within an organization's secure intranet, that significantly reduces the odds of a major security incident. This is not a silver bullet, but restricting the number of individuals capable of interacting with the devices from a network design standpoint significantly reduces the likelihood of an attack."
Data centers, the cybersecurity firm noted, continue to be a juicy target for threat actors due to the numerous attack vectors, potential to scale across the network once a foothold has been achieved, and value of the compromised devices/data, making it imperative that organizations keep devices and software platforms secure and up-to-date.
"While discussing the impact of these vulnerabilities with industry experts at both Black Hat and DEFCON, another surprising take away we had was that we were told that it is an unfortunate reality that many hardware devices found in data centers are often never updated in fear of downtime," Quinn said.
"This mindset is exemplified in power management devices (like the PDU) as a reboot is often required for the update to be completed successfully, meaning that all the devices connected to that device will lose power momentarily."
"This momentary power loss is often the deciding factor in the debate of pros vs. cons while considering an update for the specific device. With this said, we still highly recommend every organization update their products with the latest security patches whenever they become available."
