Exploitation of multiple security vulnerabilities affecting CyberPower’s PowerPanel enterprise data center infrastructure management (DCIM) platform and Dataprobe’s iBoot power distribution unit (PDU) to potentially gain unauthenticated access to these systems and cause catastrophic damage in target environments can be done.
The nine vulnerabilities, ranging from CVE-2023-3259 to CVE-2023-3267, carry severity scores ranging from 6.7 to 9.8, which could allow threat actors to shut down entire data centers and steal data or launch large-scale attacks on a large scale, enable them to compromise data center deployments for scale.
“An attacker could chain these vulnerabilities together to gain complete access to these systems,” Trellix security researchers Sam Quinn, Jesse Chick and Philippe Laulheret said in a report shared.
“In addition, both products are vulnerable to remote code injection that can be used to create a backdoor or entry point into a wider network of connected data center devices and enterprise systems.”
The findings were presented today at the DEF CON security conference. There is no evidence that these loopholes were abused in the wild. The list of vulnerabilities that have been addressed in version 2.6.9 of PowerPanel Enterprise Software and version 1.44.08042023 of Dataprobe iBoot PDU Firmware is below –
Dataprobe iBoot PDU –
- CVE-2023-3259 (CVSS score: 9.8) – Deserialization of untrusted data, causing authentication to be bypassed
- CVE-2023-3260 (CVSS Score: 7.2) – OS command injection, leading to authenticated remote code execution
- CVE-2023-3261 (CVSS score: 7.5) – Buffer overflow, causing denial of service (DoS)
- CVE-2023-3262 (CVSS score: 6.7) – use of hard-coded credentials
- CVE-2023-3263 (CVSS score: 7.5) – Authentication bypass by alternate name
CyberPower PowerPanel Enterprise –
- CVE-2023-3264 (CVSS score: 6.7) – use of hard-coded credentials
- CVE-2023-3265 (CVSS score: 7.2) – Improper neutralization of escape, meta, or control sequences, causing authentication to be bypassed
- CVE-2023-3266 (CVSS Score: 7.5) – Improperly implemented security check for the standard, causing validation to be bypassed
- CVE-2023-3267 (CVSS Score: 7.5) – OS command injection leading to authenticated remote code execution
Successful exploitation of the aforementioned flaws could impact critical infrastructure deployments that rely on data centers, resulting in shutdowns with a “flip of a switch,” conduct widespread ransomware, DDoS or wiper attacks, or conduct cyber espionage.
“A vulnerability on a single data center management platform or device can quickly lead to a complete compromise of the internal network and give threat actors a foothold to attack any connected cloud infrastructure further,” the researchers said.