Alarm bells are ringing for the security of critical data centre operations after a number of security flaws were uncovered in Dataprobe's iBoot power distribution unit (PDU) and CyberPower's PowerPanel Enterprise Data Centre Infrastructure Management (DCIM) platform.
The consequences of these vulnerabilities were outlined in a blog post written earlier this week by Trellix cybersecurity researchers Sam Quinn, Jesse Chick, and Philippe Laulheret.
With severity ratings ranging from 6.7 to 9.8, these flaws might allow malicious actors to carry out large-scale attacks, penetrate and manipulate data, and even shut down entire data centres.
The Dataprobe iBoot PDU vulnerabilities include CVE-2023-3259, which enables an attacker to overcome authentication by deserializing untrusted data, and CVE-2023-3260, which permits authorised remote code execution via OS command injection.
A buffer overflow vulnerability known as CVE-2023-3261 results in a denial-of-service (DoS) issue. CVE-2023-3262 further draws attention to the risk posed by the system's reliance on hard-coded credentials. The last vulnerability is identified as CVE-2023-3263, which allows for the bypass of alternate name authentication.
A couple of the CyberPower PowerPanel Enterprise vulnerabilities involve the use of hard-coded credentials, such as CVE-2023-3264, and an authentication bypass through the inappropriate neutralisation of escape, meta, or control sequences, such as CVE-2023-3265.
Additionally, CVE-2023-3266 demonstrates an authentication bypass resulting from inaccurate standard protocol security check implementation, and CVE-2023-3267 makes it possible for authenticated remote code execution via OS command injection.
The most recent versions of PowerPanel Enterprise (2.6.9) and the Dataprobe iBoot PDU firmware (1.44.08042023, respectively) have patches for these vulnerabilities, although their potential effects are still wide-ranging.
Last week, when the researchers presented their discoveries at the DEFCON security conference, they made sure to emphasise that there is currently no proof that these vulnerabilities are being actively exploited.
To maintain the security of their data centres, organisations must nevertheless take proactive actions. Customers are urged to download and apply the fixes right now.
To further reduce the dangers related to potential zero-day exploits, additional measures are recommended. As part of this, make sure the PowerPanel Enterprise or iBoot PDU is cut off from the public internet, especially by blocking remote access via Dataprobe's cloud service.