A series of security vulnerabilities have been discovered in CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe’s iBoot power distribution unit (PDU), sounding the alarm for the security of critical data center operations.
Trellix cybersecurity researchers Sam Quinn, Jesse Chick and Philippe Laulheret discussed the implications of these flaws in a blog post published on Sunday.
With severity scores ranging from 6.7 to 9.8, these vulnerabilities could empower malicious actors to not only paralyze entire data centers but also infiltrate and manipulate data and execute large-scale attacks.
The Dataprobe iBoot PDU vulnerabilities include CVE-2023-3259, which enables an attacker to bypass authentication by deserializing untrusted data, and CVE-2023-3260, which allows authenticated remote code execution via OS command injection.
Another vulnerability, CVE-2023-3261, leads to a denial-of-service (DoS) condition through a buffer overflow. Moreover, the system’s reliance on hard-coded credentials poses a risk highlighted by CVE-2023-3262. Lastly, an alternate name authentication bypass vulnerability is documented as CVE-2023-3263.
Read more on data center security: Ransomware Attack Hits Payments Giant NCR's Data Center
The CyberPower PowerPanel Enterprise vulnerabilities include CVE-2023-3264, involving the use of hard-coded credentials, and CVE-2023-3265, which centers around an authentication bypass through the improper neutralization of escape, meta or control sequences.
Additionally, CVE-2023-3266 reveals an authentication bypass stemming from the improper implementation of security checks for standard protocols, and CVE-2023-3267 enables authenticated remote code execution through OS command injection.
While these vulnerabilities have been addressed in the latest versions – version 2.6.9 of PowerPanel Enterprise and version 1.44.08042023 of Dataprobe iBoot PDU firmware, respectively – their potential impact is far-reaching.
Presenting their findings at the DEFCON security conference last week, the researchers emphasized that, as of now, there is no evidence of these vulnerabilities being exploited in the wild.
Still, it’s essential for organizations to take proactive measures to ensure the security of their data centers. Customers are strongly advised to download and install the patches immediately.
Additional precautions are recommended to further mitigate risks associated with potential zero-day exploitation. This includes ensuring that the PowerPanel Enterprise or iBoot PDU is isolated from the wider internet, particularly by disabling remote access through Dataprobe’s cloud service.