Trellix Research discovers data centre platform vulnerabilities

Trellix Advanced Research Centre’s investigation exposes serious vulnerabilities in CyberPower’s DCIM platform and Dataprobe’s iBoot PDU, highlighting potential unauthorized access consequences.

An attacker could chain these vulnerabilities together to gain full access to these systems — which alone could be leveraged to commit substantial damage. Furthermore, both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connected data center devices and enterprise systems.

CyberPower is a leading vendor of data center equipment and infrastructure solutions, specializing in power protection technologies and power management systems. Their DCIM platform allows IT teams to manage, configure, and monitor the infrastructure within a data center through the cloud, serving as a single source of information and control for all devices. These platforms are commonly used by companies managing on-premise server deployments to larger, co-located data centers — like those from major cloud providers AWS, Google Cloud, Microsoft Azure, etc.

Dataprobe manufactures power management products that assist businesses in monitoring and controlling their infrastructure. Their iBoot PDU allows administrators to remotely manage the power supply to their devices and equipment via a simple and easy-to-use web application. Dataprobe has thousands of devices across numerous industries — from deployments in data centers, travel and transportation infrastructure, financial institutions, smart city IoT installations, and government agencies.

The team found four major vulnerabilities in CyberPower’s DCIM and five critical vulnerabilities in the Dataprobe’s iBoot PDU:

CyberPower DCIM:
- CVE-2023-3264: Use of Hard-coded Credentials (CVSS 6.7)
- CVE-2023-3265: Improper Neutralization of Escape, Meta, or Control Sequences (Auth Bypass; CVSS 7.2)
- CVE-2023-3266: Improperly Implemented Security Check for Standard (Auth Bypass; CVSS 7.5)
- CVE-2023-3267: OS Command Injection (Authenticated RCE; CVSS 7.5)

Dataprobe iBoot PDU:
- CVE-2023-3259: Deserialization of Untrusted Data (Auth Bypass; CVSS 9.8)
- CVE-2023-3260: OS Command Injection (Authenticated RCE; CVSS 7.2)
- CVE-2023-3261: Buffer Overflow (DOS; CVSS 7.5)
- CVE-2023-3262: Use of Hard-coded Credentials (CVSS 6.7)
- CVE-2023-3263: Authentication Bypass by Alternate Name (Auth Bypass; CVSS 7.5)

“In a world growing ever-reliant on massive amounts of data for business operations, critical infrastructure, and basic internet activities, major vulnerabilities in the data centers making all this possible is a large risk to daily society. Vulnerabilities that enable cybercriminals to slowly infect entire data center deployments to steal key data and information or utilize compromised resources to initiate attacks at a global scale could be leveraged for massive damage. The threats and risks to both consumers and enterprises is high,” commented Sam Quinn, Senior Security Researcher and Jesse Chick, Vulnerability Researcher at the Trellix Advanced Research Centre.

Below are some examples of the level of damage a malicious threat actor could do when utilizing exploits of this level across numerous data centres:

Power Off: Through access to these power management systems, even the simple act of cutting power to devices connected to a PDU would be significant. Websites, business applications, consumer technologies, and critical infrastructure deployments all rely on the availability of these data centers to operate. A threat actor could cause significant disruption for days at a time with the simple “flip of a switch” in dozens of compromised data centers.
Malware at Scale: Using these platforms to create a backdoor on the data center equipment provides bad actors a foothold to compromise a huge number of systems and devices. Some data centers host thousands of servers and connect to hundreds of various business applications. Malicious attackers could slowly compromise both the data center and the business networks connected to it.
Digital Espionage: In addition to the previously mentioned malicious activities one would expect of cybercriminals, APTs and nation-state backed threat actors could leverage these exploits to conduct cyberespionage attacks.

Recommendation

Both Dataprobe and CyberPower have released fixes for these vulnerabilities with CyberPower DCIM version 2.6.9 of their PowerPanel Enterprise software and the latest 1.44.08042023 version of the Dataprobe iBoot PDU firmware. Trellix strongly urges all potentially impacted customers to download and install these patches immediately.

In addition to the official patches, Trellix would suggest taking additional steps for any devices or platforms potentially exposed to 0-day exploitation by these vulnerable products:

Ensure that your PowerPanel Enterprise or iBoot PDU are not exposed to the wider Internet. Each should be reachable only from within your organization’s secure intranet.
- In the case of the iBoot PDU, Trellix suggests disabling remote access via Dataprobe’s cloud service as an added precaution.
Modify the passwords associated with all user accounts and revoke any sensitive information stored on both appliances that may have been leaked.
Update to the latest version of PowerPanel Enterprise or install the latest firmware for the iBoot PDU and subscribe to the relevant vendor’s security update notifications.
- Although this measure in and of itself will not reduce risk of attack via the vulnerabilities described in this document, updating all your software to the latest and greatest version promptly is the best practice for ensuring your window of exposure is as short as possible in this and future cases.

“The devices and software platforms that service data centers must remain secure and updated, and the vendors producing this hardware and software have processes in place for quick and efficient response following vulnerability disclosures,” added Quinn and Chick. “We applaud both CyberPower and Dataprobe for their willingness and expediency in working with our team following the discovery of these vulnerabilities. Their responsiveness in creating protections for these vulnerabilities and releasing a patch for their customers shows true organizational maturity and drive to improve security across the entire industry.”

Survey reveals misalignment between cybersecurity and business goals in the UAE and KSA

Bybit opens global headquarters in Dubai on the heels of 50% increase in user base

DIFC Courts reinforces its commitment to sustainability following expansion of its digital infrastructure

NETSCOUT adds new data centre presence in Dubai with added Arbor Cloud Capabilities

Dubai ranks as the second most crypto-ready city in the world

LinkShadow reinforces its commitment to Saudi Arabia

Huawei Cloud’s Riyadh launch boosts Saudi tech advancement

Cisco unveils new data centre to enhance security services in Saudi Arabia

Survey reveals misalignment between cybersecurity and business goals in the UAE and KSA

Google Cloud announce significant new collaboration with Saudi Pharmaceuticals giant

KROHNE delivers insights to inspire the next generation of engineers in Oman

Oracle supports major project to accelerate Oman digital economy

Ooredoo accelerates cybersecurity in Oman with new deal

Omantel selects Ericsson to manage its nationwide multi-vendor networks

Oman TRA shares plans to accelerate 5G deployment

BDB launches “tijara” platform for SMEs

Bahrain achieves full nationwide 5G coverage

Batelco, SonicWall launch integrated security solutions for SMEs in Bahrain

Bahrain to offer COVID-19 test results on WhatsApp, Facebook Messenger

Infor supports Bahrain’s digital transformation

Infopercept opens its first Middle East office in Kuwait

Microsoft Compliance Manager now available in Kuwait

Commercial Bank of Kuwait gets mobile payments moving with Thales Digital Solutions

Ooredoo chooses Fortinet to deliver secure SD-WAN managed services in Kuwait

Zain rolls out first-ever 5G roaming service in MENA

Looking for the best label solutions in South Africa? Go OKI!

OKI is only going bigger in the South African market!

Huawei honours Women in Tech at Apps UP 2022

Amazon payment services launches in the MENA region

Egypt turns to AI to deliver COVID-19 diagnosis service to People of Determination

Vertiv extends partnership with MDS SI Group to enhance digital infrastructure solutions

Bosch sees 21% sales surge in the Middle East

“AI has been in Google’s DNA from the beginning – we are an AI-first company” – Tarek Khalil, Google Cloud

How companies can future-proof their business with Web3

“Diversity, equity and inclusion are a core part of our culture and values at AWS” – Yasmine Afifi

Gender Lens investing vital to economic recovery

Virgin Hyperloop unveils location for Hyperloop certification centre

TikTok taps Oracle as secure cloud provider

Zoom gets security boost with Keybase acquisition

Why collaboration is the answer to the successful roll-out of 5G

OPSWAT invests $10 Million in scholarship learning program to help close cybersecurity skills gap

Alef Education showcases the Alef Metaverse to improve climate education at COP28

Bybit and AUS unveil the tech talents of tomorrow

How digital education solutions can help students achieve their full learning potential

Seeds for the Future 2023: Huawei gathers ME & CA’s brightest ICT talent in Qatar

Huawei launches ground-breaking solar inverter at World Future Energy Summit

Middle East Energy to further boost their sustainability agenda

EDF UK selects Dynatrace to keep the power flowing

KROHNE harnessing the power of analytics to drive energy transformation

“All of us are pulling in the right direction for a better tomorrow” – Frank Janssens, VP at KROHNE

Above and ‘Beyon’ – New Money SuperApp launched in the UAE

New cross-border payments platform Digit9 launches in the UAE

Hub71 partners with global economic transformation specialist on MENA start-up ecosystem

Spheroid Universe coin to be listed on MEXC exchange

DIFC Innovation Hub launches AccelerateHER program

Innovating Finance: UAE’s Pioneering Role in the Blockchain and Crypto Landscape

Pioneering Sharjah’s Digital Revolution

Interview: Shaping a Secure World

Dubai Chamber of Digital Economy scouts Asia for tech start-ups

Government leaders from IT sector honoured at GovTech Innovation Awards

Dubai Science Park study backs R&D localisation amid projected surge in UAE healthcare spending

MarkiTech expands GCC footprint

MoHAP Launches Health Sector’s First National Centre of Excellence for AI

Korian Benelux future-proofs residential Care with AI-driven solutions

SAS accelerates responsible innovation efforts with new collaborations

Digitalisation key to accelerating construction development in Middle East, says Trimble

R&M Introduces First Single Pair Ethernet System to Support Middle East Smart Building Trend

To ‘upsmart’ your building, start with the elevator

Renters searching for homes online surge amid coronavirus fears

Emirati tech entrepreneur launches new app to ease Dubai’s rental woes

Brands Beware: The Application Generation Demands Seamless Digital Experiences

Opinion: Brands must respond to meet heightened customer expectations

Thriwe: Enhancing the Omni-channel experience

Navigating the Festive Cyber Landscape: Ensuring Online Safety during Holiday Shopping

Celebrate the Dubai Shopping Festival with Eros Electronics’ exclusive deals

Interview: OTIFYD’s intelligent approach to cybersecurity

Extreme Introduces Hub for Research, Development and Innovation in Networking

Interview: AI continues to strengthen cyber defence

Help AG Unveils Top Digital Threats and Trends in Cybersecurity

AVEVA launches CONNECT, the world’s leading industrial intelligence platform, at Hannover Messe