Multiple vulnerabilities in CyberPower PowerPanel Enterprise DCIM (Data Centre Infrasture Management) platform and Dataprobe PDU could expose data centers to hacking.
Researchers from Trellix Advanced Research Center discovered multiple vulnerabilities impacting CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe’s iBoot Power Distribution Unit (PDU). An attacker could exploit to gain unauthenticated access to these systems and carry out a broad range of malicious activities.
CyberPower is a prominent supplier of data center hardware and infrastructure solutions, with a specific focus on cutting-edge power protection technologies and effective power management systems. The PowerPanel Enterprise DCIM platform enables IT teams to manage, configure, and monitor a data center’s infrastructure via cloud connectivity. This platform serves as an integrated hub of information and control for all interconnected devices. Such solutions find widespread adoption, ranging from enterprises overseeing on-site server installations to expansive co-located data centers, including the industry giants like AWS, Google Cloud, Microsoft Azure, and others.
The nine vulnerabilities have received CVE between CVE-2023-3259 through CVE-2023-3267. Successful exploitation of the flaws can allow threat actors to shut down entire data centers.
“we found four vulnerabilities in CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe’s iBoot Power Distribution Unit (PDU). An attacker could chain these vulnerabilities together to gain full access to these systems – which alone could be leveraged to commit substantial damage.” reads the advisory published by Trellix. “Furthermore, both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connected data center devices and enterprise systems.”
The good news is that the researchers have found no evidence that these flaws were exploited in the wild.
Below is the list of flaws discovered by the researchers:
- CyberPower PowerPanel Enterprise:
- CVE-2023-3264: Use of Hard-coded Credentials (CVSS 6.7)
- CVE-2023-3265: Improper Neutralization of Escape, Meta, or Control Sequences (Auth Bypass; CVSS 7.2)
- CVE-2023-3266: Improperly Implemented Security Check for Standard (Auth Bypass; CVSS 7.5)
- CVE-2023-3267: OS Command Injection (Authenticated RCE; CVSS 7.5)
- Dataprobe iBoot PDU:
- CVE-2023-3259: Deserialization of Untrusted Data (Auth Bypass; CVSS 9.8)
- CVE-2023-3260: OS Command Injection (Authenticated RCE; CVSS 7.2)
- CVE-2023-3261: Buffer Overflow (DOS; CVSS 7.5)
- CVE-2023-3262: Use of Hard-coded Credentials (CVSS 6.7)
- CVE-2023-3263: Authentication Bypass by Alternate Name (Auth Bypass; CVSS 7.5)