A number of new vulnerabilities have been exposed in PDU and DCIM systems commonly used by data center operators.
As well as a Defcon talk, cybersecurity firm Trellix posted research over the weekend listing several newly-found vulnerabilities in power management and supply technologies commonly found in data centers.
“We found four vulnerabilities in CyberPower's PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe's iBoot Power Distribution Unit (PDU),” the company said.
“An attacker could chain these vulnerabilities together to gain full access to these systems – which alone could be leveraged to commit substantial damage. Furthermore, both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connected data center devices and enterprise systems.”
The highest severity vulnerability – rated a CVSS 9.8 critical-level issue – was CVE-2023-3259, an authentication bypass bug in the iBoot PDU allowing threat actors to direct the device to connect to a rouge database and take actions with administrator privileges; including, but not limited to, manipulating power levels, modifying user accounts, and exporting confidential user information.
The cyber firm said through these vulnerabilities, the PDU could be manipulated to damage hardware or shut off entirely. The issues could also be used to connect to other devices on the same network, potentially even customer IT hardware if not properly segmented from building systems.
Both Dataprobe and CyberPower have released fixes for these vulnerabilities; the former with version 2.6.9 of their PowerPanel Enterprise software, and the latter with the latest 1.44.08042023 version of the Dataprobe iBoot PDU firmware. Customers of these products are recommended to update and install these patches.
“We applaud both CyberPower and Dataprobe for their willingness and expediency in working with our team following the discovery of these vulnerabilities,” Treilix said. “Their responsiveness in creating protections for these vulnerabilities and releasing a patch for their customers shows true organizational maturity and drive to improve security across the entire industry.”
Trellix said it had not discovered any malicious uses in the wild of these exploits, but still recommended caution.
As well as the official patches, Trellix further suggested ensuring neither PowerPanel Enterprise nor iBoot PDU are exposed to the wider Internet, removing remote access via Dataprobe's cloud service as an added precaution, resetting passwords associated with all user accounts, and revoking any sensitive information stored on both appliances that may have been leaked.