Aug 14, 2023, 10:33 PM
Access to power management systems can allow attackers to cut power to devices connected to a PDU shutting down data centers. A threat actor could cause a prolonged outage with the simple “flip of a switch” in dozens of compromised data centers.
The manipulation of power management can also damage hardware devices.
Threat actors can also compromise a data center by establishing a backdoor and abuse systems and devices spread malware on a large scale. APT groups could trigger these flaws to conduct cyberespionage attacks.
The researchers presented their findings at the DEFCON security conference today.
The nine vulnerabilities have received CVE between CVE-2023-3259 through CVE-2023-3267. Successful exploitation of the flaws can allow threat actors to shut down entire data centers.
“we found four vulnerabilities in CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe’s iBoot Power Distribution Unit (PDU). An attacker could chain these vulnerabilities together to gain full access to these systems – which alone could be leveraged to commit substantial damage.” reads the advisory published by Trellix. “Furthermore, both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connected data center devices and enterprise systems.”
Below is the list of flaws discovered by the researchers:
CyberPower PowerPanel Enterprise:
CVE-2023-3264: Use of Hard-coded Credentials (CVSS 6.7)
CVE-2023-3265: Improper Neutralization of Escape, Meta, or Control Sequences (Auth Bypass; CVSS 7.2)
CVE-2023-3266: Improperly Implemented Security Check for Standard (Auth Bypass; CVSS 7.5)
CVE-2023-3267: OS Command Injection (Authenticated RCE; CVSS 7.5)
Dataprobe iBoot PDU:
CVE-2023-3259: Deserialization of Untrusted Data (Auth Bypass; CVSS 9.8)
CVE-2023-3260: OS Command Injection (Authenticated RCE; CVSS 7.2)
CVE-2023-3261: Buffer Overflow (DOS; CVSS 7.5)
CVE-2023-3262: Use of Hard-coded Credentials (CVSS 6.7)
CVE-2023-3263: Authentication Bypass by Alternate Name (Auth Bypass; CVSS 7.5)
The manipulation of power management can also damage hardware devices.
Threat actors can also compromise a data center by establishing a backdoor and abuse systems and devices spread malware on a large scale. APT groups could trigger these flaws to conduct cyberespionage attacks.
The researchers presented their findings at the DEFCON security conference today.
The nine vulnerabilities have received CVE between CVE-2023-3259 through CVE-2023-3267. Successful exploitation of the flaws can allow threat actors to shut down entire data centers.
“we found four vulnerabilities in CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe’s iBoot Power Distribution Unit (PDU). An attacker could chain these vulnerabilities together to gain full access to these systems – which alone could be leveraged to commit substantial damage.” reads the advisory published by Trellix. “Furthermore, both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connected data center devices and enterprise systems.”
Below is the list of flaws discovered by the researchers:
CyberPower PowerPanel Enterprise:
CVE-2023-3264: Use of Hard-coded Credentials (CVSS 6.7)
CVE-2023-3265: Improper Neutralization of Escape, Meta, or Control Sequences (Auth Bypass; CVSS 7.2)
CVE-2023-3266: Improperly Implemented Security Check for Standard (Auth Bypass; CVSS 7.5)
CVE-2023-3267: OS Command Injection (Authenticated RCE; CVSS 7.5)
Dataprobe iBoot PDU:
CVE-2023-3259: Deserialization of Untrusted Data (Auth Bypass; CVSS 9.8)
CVE-2023-3260: OS Command Injection (Authenticated RCE; CVSS 7.2)
CVE-2023-3261: Buffer Overflow (DOS; CVSS 7.5)
CVE-2023-3262: Use of Hard-coded Credentials (CVSS 6.7)
CVE-2023-3263: Authentication Bypass by Alternate Name (Auth Bypass; CVSS 7.5)