Trellix researchers are disclosing a number of critical data center power management platform vulnerabilities at DEFCON 2023 today.
The vulnerabilities “could allow attackers to shut down entire data centers in minutes, slowly infect entire data center deployments to steal key data and information, or utilize compromised resources to initiate massive attacks at a global scale,” Sam Quinn and Jesse Chick of the Trellix Advanced Research Center wrote in a blog accompanying their presentation.
The Trellix researchers investigated several data center software platforms and hardware technologies as part of a U.S. effort to secure critical infrastructure. They found four critical vulnerabilities in CyberPower’s Data Center Infrastructure Management (DCIM) platform and five critical vulnerabilities in Dataprobe’s iBoot Power Distribution Unit (PDU).
CyberPower offers power protection and management systems for computer and server technologies. The CyberPower DCIM platform lets IT teams manage, configure and monitor the infrastructure within a data center through the cloud, “serving as a single source of information and control for all devices.”
Quinn and Chick said these platforms “are commonly used by companies managing on-premise server deployments to larger, co-located data centers – like those from major cloud providers AWS, Google Cloud, Microsoft Azure, etc.”
Dataprobe’s power management products help businesses monitor and control their networks typically in small to mid-sized data centers and SMBs managing on-premises server deployments. “Their iBoot PDU allows administrators to manage the power supply to their devices and equipment remotely, via a simple and easy to use web browser application,” the researchers noted.
Here are the vulnerabilities they discovered, including their CVEs, CVSS scores, and a brief description of each:
- CyberPower DCIM:
- CVE-2023-3264: Use of Hard-coded Credentials (CVSS 6.7)
- CVE-2023-3265: Improper Neutralization of Escape, Meta, or Control Sequences (Auth Bypass; CVSS 7.2)
- CVE-2023-3266: Improperly Implemented Security Check for Standard (Auth Bypass; CVSS 7.5)
- CVE-2023-3267: OS Command Injection (Authenticated RCE; CVSS 7.5)
- Dataprobe iBoot PDU:
- CVE-2023-3259: Deserialization of Untrusted Data (Auth Bypass; CVSS 9.8)
- CVE-2023-3260: OS Command Injection (Authenticated RCE; CVSS 7.2)
- CVE-2023-3261: Buffer Overflow (DOS; CVSS 7.5)
- CVE-2023-3262: Use of Hard-coded Credentials (CVSS 6.7)
- CVE-2023-3263: Authentication Bypass by Alternate Name (Auth Bypass; CVSS 7.5)
The researchers said the vulnerabilities could give threat actors authenticated access to these data center power management systems, “which alone could be leveraged to commit catastrophic damage. However, the exploits go even further in allowing for remote code injection on the data center hardware to create a backdoor on the device, and an entry point to the broader network of connected data center devices and enterprise systems.”
Potential attacks include:
Power Off: “Even the simple act of turning the data center off could cause massive damage,” the researchers said. With a simple “flip of a switch,” threat actors could shut down data centers.
Malware at Scale: Using these platforms to create a backdoor on data center equipment gives threat actors “a foothold to compromise systems at a massive scale – in the data center itself and for the business networks that access these servers. This malware could be leveraged for unprecedented ransomware, DDoS or Wiper attacks that would completely dwarf SuxNet, Mirai BotNet, or WannaCry.”
Digital Espionage: “Spyware installed in data centers across the world could be leveraged for extreme cyberespionage,” they wrote.
Also read: Network Protection: How to Secure a Network
Black Hat, DEFCON Vulnerabilities – And a Challenge
The Trellix findings were just a few of the scores of vulnerabilities unveiled this week at the Black Hat and DEFCON conferences.
Among the vulnerabilities were a data leakage flaw in Intel chips and a denial of service vulnerability in Microsoft Defender revealed by SafeBreach researchers.
And in a surprise announcement at Black Hat, the U.S. Defense Advanced Research Projects Agency (DARPA) announced a two-year competition to develop AI cybersecurity tools, with nearly $20 million in prizes.
eSecurity Planet Editor Paul Shread contributed to this report
Further reading:
