Trellix Advanced Research Center Uncovers Vulnerabilities in Data Centre Infrastructure

Trellix-Advanced-Research-Centre-Uncovers-Vulnerabilities-in-Data-Center-Infrastructure

As part of a focused effort on vulnerability discovery in data centres, the Trellix Advanced Research Center has found four vulnerabilities in CyberPower’s Data Center Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe’s iBoot Power Distribution Unit (PDU). An attacker could chain these vulnerabilities together to gain full access to these systems — which alone could be leveraged to commit substantial damage. Furthermore, both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connected data centre devices and enterprise systems.

CyberPower is a leading vendor of data centre equipment and infrastructure solutions, specialising in power protection technologies and power management systems. Their DCIM platform allows IT teams to manage, configure, and monitor the infrastructure within a data centre through the cloud, serving as a single source of information and control for all devices. These platforms are commonly used by companies managing on-premise server deployments to larger, co-located data centres — like those from major cloud providers AWS, Google Cloud, Microsoft Azure, etc. 

Dataprobe manufactures power management products that assist businesses in monitoring and controlling their infrastructure. Their iBoot PDU allows administrators to remotely manage the power supply to their devices and equipment via a simple and easy-to-use web application. Dataprobe has thousands of devices across numerous industries — from deployments in data centres, travel and transportation infrastructure, financial institutions, smart city IoT installations, and government agencies.

The team found four major vulnerabilities in CyberPower’s DCIM and five critical vulnerabilities in the Dataprobe’s iBoot PDU:

  • CyberPower DCIM:
    • CVE-2023-3264: Use of Hard-coded Credentials (CVSS 6.7)
    • CVE-2023-3265: Improper Neutralization of Escape, Meta, or Control Sequences (Auth Bypass; CVSS 7.2)
    • CVE-2023-3266: Improperly Implemented Security Check for Standard (Auth Bypass; CVSS 7.5)
    • CVE-2023-3267: OS Command Injection (Authenticated RCE; CVSS 7.5)
  • Dataprobe iBoot PDU:
    • CVE-2023-3259: Deserialization of Untrusted Data (Auth Bypass; CVSS 9.8)
    • CVE-2023-3260: OS Command Injection (Authenticated RCE; CVSS 7.2)
    • CVE-2023-3261: Buffer Overflow (DOS; CVSS 7.5)
    • CVE-2023-3262: Use of Hard-coded Credentials (CVSS 6.7)
    • CVE-2023-3263: Authentication Bypass by Alternate Name (Auth Bypass; CVSS 7.5)

“In a world growing ever-reliant on massive amounts of data for business operations, critical infrastructure, and basic internet activities, major vulnerabilities in the data centres making all this possible is a large risk to daily society. Vulnerabilities that enable cybercriminals to slowly infect entire data centre deployments to steal key data and information or utilise compromised resources to initiate attacks at a global scale could be leveraged for massive damage. The threats and risks to consumers and enterprises are high,” commented Sam Quinn, Senior Security Researcher and Jesse Chick, Vulnerability Researcher at the Trellix Advanced Research Center.

Below are some examples of the level of damage a malicious threat actor could do when utilising exploits of this level across numerous data centres:

  • Power Off: Through access to these power management systems, even cutting power to devices connected to a PDU would be significant. Websites, business applications, consumer technologies, and critical infrastructure deployments all rely on the availability of these data centres to operate. A threat actor could cause significant daily disruption with the simple “flip of a switch” in dozens of compromised data centres.  
  • Malware at Scale: Using these platforms to create a backdoor on the data centre equipment provides bad actors with a foothold to compromise many systems and devices. Some data centres host thousands of servers and connect to hundreds of various business applications. Malicious attackers could slowly compromise both the data centre and the business networks connected to it.  
  • Digital Espionage: Besides the previously mentioned malicious activities one would expect of cybercriminals, APTs and nation-state-backed threat actors could leverage these exploits to conduct cyberespionage attacks. 

Recommendation 

Dataprobe and CyberPower have released fixes for these vulnerabilities with CyberPower DCIM version 2.6.9 of their PowerPanel Enterprise software and the latest 1.44.08042023 version of the Dataprobe iBoot PDU firmware. Trellix strongly urges all potentially impacted customers to download and install these patches immediately.

In addition to the official patches, Trellix would suggest taking additional steps for any devices or platforms potentially exposed to 0-day exploitation by these vulnerable products:  

  • Ensure that your PowerPanel Enterprise or iBoot PDU are not exposed to the wider Internet. Each should be reachable only from within your organisation’s secure intranet.
    • In the case of the iBoot PDU, Trellix suggests disabling remote access via Dataprobe’s cloud service as an added precaution. 
  • Modify the passwords associated with all user accounts and revoke any sensitive information stored on both appliances that may have been leaked. 
  • Update to the latest version of PowerPanel Enterprise or install the latest firmware for the iBoot PDU and subscribe to the relevant vendor’s security update notifications.  
    • Although this measure in and of itself will not reduce the risk of attack via the vulnerabilities described in this document, promptly updating all your software to the latest and greatest version is the best practice for ensuring your exposure window is as short as possible in this and future cases.

“The devices and software platforms that service data centres must remain secure and updated, and the vendors producing this hardware and software have processes in place for quick and efficient response following vulnerability disclosures,” added Quinn and Chick. “We applaud both CyberPower and Dataprobe for their willingness and expediency in working with our team after discovering these vulnerabilities. Their responsiveness in creating protections for these vulnerabilities and releasing a patch for their customers shows true organisational maturity and drive to improve security across the entire industry.”