Trellix Research identifies four vulnerabilities in CyberPower’s DCIM platform and five in Dataprobe’s iBoot PDU. Exploiting these could yield total system access, potentially leading to significant harm. Both products are also susceptible to remote code injection, risking backdoor creation and network breach.
CyberPower is a leading vendor of data center equipment and infrastructure solutions, specializing in power protection technologies and power management systems. Their DCIM platform allows IT teams to manage, configure, and monitor the infrastructure within a data center through the cloud, serving as a single source of information and control for all devices. These platforms are commonly used by companies managing on-premise server deployments to larger, co-located data centers — like those from major cloud providers AWS, Google Cloud, Microsoft Azure, etc.
“Vulnerabilities that enable cybercriminals to slowly infect entire data center deployments to steal key data and information or utilize compromised resources to initiate attacks at a global scale could be leveraged for massive damage. The threats and risks to both consumers and enterprises is high.”
John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center.
Dataprobe manufactures power management products that assist businesses in monitoring and controlling their infrastructure. Their iBoot PDU allows administrators to remotely manage the power supply to their devices and equipment via a simple and easy-to-use web application. Dataprobe has thousands of devices across numerous industries — from deployments in data centers, travel and transportation infrastructure, financial institutions, smart city IoT installations, and government agencies.
“In a world growing ever-reliant on massive amounts of data for business operations, critical infrastructure, and basic internet activities, major vulnerabilities in the data centers making all this possible is a large risk to daily society. Vulnerabilities that enable cybercriminals to slowly infect entire data center deployments to steal key data and information or utilize compromised resources to initiate attacks at a global scale could be leveraged for massive damage. The threats and risks to both consumers and enterprises is high,” said, John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center.
Below are some examples of the level of damage a malicious threat actor could do when utilizing exploits of this level across numerous data centers:
- Power Off: Through access to these power management systems, even the simple act of cutting power to devices connected to a PDU would be significant. Websites, business applications, consumer technologies, and critical infrastructure deployments all rely on the availability of these data centers to operate. A threat actor could cause significant disruption for days at a time with the simple “flip of a switch” in dozens of compromised data centers.
- Malware at Scale: Using these platforms to create a backdoor on the data center equipment provides bad actors a foothold to compromise a huge number of systems and devices. Some data centers host thousands of servers and connect to hundreds of various business applications. Malicious attackers could slowly compromise both the data center and the business networks connected to it.
- · Digital Espionage: In addition to the previously mentioned malicious activities one would expect of cybercriminals, APTs and nation-state backed threat actors could leverage these exploits to conduct cyberespionage attacks.
Recommendation
Both Dataprobe and CyberPower have released fixes for these vulnerabilities with CyberPower DCIM version 2.6.9 of their PowerPanel Enterprise software and the latest 1.44.08042023 version of the Dataprobe iBoot PDU firmware. Trellix strongly urges all potentially impacted customers to download and install these patches immediately. In addition to the official patches, Trellix would suggest taking additional steps for any devices or platforms potentially exposed to 0-day exploitation by these vulnerable products:
- Ensure that your PowerPanel Enterprise or iBoot PDU are not exposed to the wider Internet. Each should be reachable only from within your organization’s secure intranet.
- In the case of the iBoot PDU, Trellix suggests disabling remote access via Dataprobe’s cloud service as an added precaution.
- Modify the passwords associated with all user accounts and revoke any sensitive information stored on both appliances that may have been leaked. · Update to the latest version of PowerPanel Enterprise or install the latest firmware for the iBoot PDU and subscribe to the relevant vendor’s security update notifications.
- Although this measure in and of itself will not reduce risk of attack via the vulnerabilities described in this document, updating all your software to the latest and greatest version promptly is the best practice for ensuring your window of exposure is as short as possible in this and future cases.
“The devices and software platforms that service data centers must remain secure and updated, and the vendors producing this hardware and software have processes in place for quick and efficient response following vulnerability disclosures,” added Fokker. “We applaud both CyberPower and Dataprobe for their willingness and expediency in working with our team following the discovery of these vulnerabilities. Their responsiveness in creating protections for these vulnerabilities and releasing a patch for their customers shows true organizational maturity and drive to improve security across the entire industry.”
