Multiple vulnerabilities in data center infrastructure management systems/power distribution units have the potential to cripple popular cloud-based services. That’s according to new findings from the Trellix Advanced Research Center, which revealed four vulnerabilities in CyberPower’s Data Center Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe’s iBoot Power Distribution Unit (PDU).
The vulnerabilities could be used to gain full access to these systems as well as to perform remote code execution (RCE) to create device backdoors and an entry point to the broader network, according to the researchers. They are basic, require little expertise or hacking tools, and could be executed in minutes, the team added. At the time of disclosure, Trellix said it had not discovered any malicious use of the exploits in the wild. The research into the vulnerabilities was presented at DEF CON in Las Vegas.
The data center market is seeing rapid growth as businesses turn to digital transformation and cloud services to support new working habits and operational efficiencies. In the US alone, data center demand is expected to reach 35 gigawatts (GW) by 2030, up from 17 GW in 2022, according to analysis from McKinsey & Company. However, today’s data centers are a critical attack vector for cybercriminals wanting to spread malware, blackmail businesses for ransom, conduct corporate or foreign espionage, or shut down large swaths of the internet.
Remote code execution, authentication bypass, DoS among risks
CyberPower provides power protection and management systems for computer and server technologies. Its DCIM platform allows IT teams to manage, configure, and monitor the infrastructure within a data center through the cloud, serving as a single source of information and control for all devices. “These platforms are commonly used by companies managing on-premises server deployments to larger, co-located data centers – like those from major cloud providers AWS, Google Cloud, Microsoft Azure, etc.,” the researchers wrote.
The four vulnerabilities Trellix found in CyberPower’s DCIM are:
- CVE-2023-3264: Use of hard-coded credentials (CVSS 6.7).
- CVE-2023-3265: Improper neutralization of escape, meta, or control sequences (auth bypass, CVSS 7.2).
- CVE-2023-3266: Improperly implemented security check for standard (auth bypass, CVSS 7.5).
- CVE-2023-3267: OS command injection (authenticated remote code execution, CVSS 7.5).
Dataprobe manufactures power management products that assist businesses in monitoring and controlling their equipment. iBoot PDU allows administrators to remotely manage the power supply to their devices and equipment via a web application. Dataprobe has thousands of devices across numerous industries, including deployments in data centers, travel and transportation infrastructure, financial institutions, smart city IoT installations, and government agencies, Trellix said.
