Multiple Flaws Uncovered in Data Center SystemsVulnerabilities Found in CyberPower and Dataprobe Products
Multiple vulnerabilities in data center power management systems and supply technologies enable threat actors to gain unauthorized access and perform remote code injection.
The attackers can chain multiple vulnerabilities to gain full access to data center systems and perform remote code injection to create a backdoor and make an entry point to the broader network of connected data center devices.
Trellix researchers Sam Quinn and Jesse Chick found four major vulnerabilities in CyberPower's PowerPanel Enterprise Data Center Infrastructure Management platform and five critical vulnerabilities in the Dataprobe's iBoot Power Distribution Unit.
"These alone could be leveraged to commit catastrophic damage," the researchers said.
More than 8 in 10 enterprise data center operators increased their rack densities within the last three years, according to Sunbird Software. Data centers increasingly turn to tools such as DCIM platforms to manage infrastructure, prevent outages and maintain uptime.
Trellix said the market for DCIM reached $2 billion last year and will grow at a compound annual growth rate of 20%, reaching $20 billion in 2032.
Data center equipment and infrastructure solutions provider CyberPower's PowerPanel Enterprise DCIM platform allows information technology teams to manage, configure and monitor the infrastructure within a data center through the cloud, serving as a single source of information and control for all devices.
"These platforms are commonly used by companies managing on-premises server deployments to larger, co-located data centers - like those from major cloud providers AWS, Google Cloud and Microsoft Azure," the researchers said.
Dataprobe manufactures power management products that assist businesses in monitoring and controlling their equipment. The iBoot-PDU allows administrators to remotely manage the power supply to their devices and equipment via a "simple and easy-to-use" web application, according to the researchers, who added that the devices are "typically found in small to midsized data centers and used by SMBs managing on-premises server deployments."
The nine vulnerabilities uncovered in CyberPower's DCIM and Dataprobe's iBoot-PDU are tracked as CVE-2023-3259 through CVE-2023-3267 and have CVSS scores from 6.7 to 9.8.
Researchers urge all potentially affected customers to download and install patches immediately.
- CVE-2023-3264: Use of hard-coded credentials; CVSS score - 6.7;
- CVE-2023-3265: Improper neutralization of escape, meta or control sequences; CVSS score - 7.2;
- CVE-2023-3266: Improperly implemented security check for standard; CVSS score - 7.5;
- CVE-2023-3267: OS command injection; CVSS score - 7.5.
- CVE-2023-3259: Deserialization of untrusted data; CVSS score - 9.8;
- CVE-2023-3260: OS command injection; CVSS score - 7.2;
- CVE-2023-3261: Buffer overflow; CVSS score - 7.5;
- CVE-2023-3262: Use of hard-coded credentials; CVSS score - 6.7;
- CVE-2023-3263: Authentication bypass by alternate name; CVSS score - 7.5).
These vulnerabilities allow a malicious threat actor to cut power to devices connected to a PDU. "A threat actor could cause significant disruption for days at a time with the simple "flip of a switch" in dozens of compromised data centers," the researchers said.
In addition, manipulation of the power management could be used to damage the hardware devices themselves. A report from the Uptime Institute shows that 25% of outages at data centers cost more than $1 million and 45% cost between $100,000 and $1 million.
The attackers could use the vulnerabilities to create a backdoor allowing bad actors a foothold to compromise a huge number of systems and devices. "Malware across such a huge scale of devices could be leveraged for massive ransomware, DDoS, or Wiper attacks - potentially even more widespread than those of StuxNet, Mirai BotNet, or WannaCry," the Trellix researchers said.