CyberPower, supplier of the PowerPanel datacentre infrastructure management (DCIM) software and Dataprobe, supplier of the iBoot power distribution unit (PDU), have issued patches for a series of dangerous vulnerabilities that, had they been discovered by threat actors, could have caused global disruption on an almost unprecedented scale.
Identified by researchers at Trellix and publicly disclosed this weekend at the annual DEF CON hacking convention, the vulnerabilities affected hundreds, if not thousands of datacentres, from small on-premise operations to hyperscale colocation facilities operated by the likes of AWS, Google or Microsoft.
Trellix researchers Sam Quinn and Jesse Chick said that with reliance on online and cloud-based services at an all-time high, and only set to grow, datacentres are becoming a “critical attack vector for cyber criminals wanting to spread malware, blackmail businesses for ransom, conduct corporate or foreign espionage, or simply shut down large swathes of the internet”.
The researchers have been conducting a multi-pronged exercise focused on vulnerability discovery in datacentres, investigating several of the world’s most widely used management platforms and technologies. For the first part of the exercise, it centred power management and supply technologies, and is disclosing its findings in this area at DEF CON.
The vulnerabilities it found in the CyberPower and DataProbe products are particularly impactful because of how fundamental the two suppliers’ technology is to the operation of a datacentre.
The CyberPower DCIM platform is a power protection and management system for computer and server technologies that allows IT teams to manage, configure and monitor datacentre infrastructure through the cloud. It is sold into datacentres of all shapes and sizes, from small server room style deployments to hyperscale facilities.
Dataprobe, meanwhile, supplies power management products that help datacentre operators monitor and control their products. Its iBoot PDU lets admins remotely manage power supply to their equipment through a web supplication, but tends to be found in smaller and mid-market datacentres, or at SMEs managing their on-prem servers.
“During this practice, we found four vulnerabilities in CyberPower’s DCIM platform and five vulnerabilities in Dataprobe’s iBoot PDU,” said the Trellix team.
“An attacker could chain these vulnerabilities together to gain full access to these systems – which alone could be leveraged to commit catastrophic damage – as well as remote code injection on the datacentre hardware to create a backdoor on the device and an entry point to the broader network of connected datacentre devices and enterprise systems.”
Some of the havoc that could be wrought – were the vulnerabilities to have been successfully chained and exploited – include shutting off power to the target datacentre, bringing down whatever websites, applications or other servers hosted in them, and manipulating power management to cause physical damage to the server hardware.
Threat actors could also exploit them to create a backdoor on the datacentre equipment to gain a foothold through which to compromise a huge number of different systems and devices and spread malware or ransomware on a huge scale, potentially across hundreds or even thousands of organisations. If such an incident was the befall a major public cloud provider, the impact could be greater than that of WannaCry, Log4Shell, or the ongoing MOVEit breaches.
The third nightmare scenario involves a nation-state backed advanced persistent threat (APT) actor – such as Russia’s Cozy Bear or China’s APT41 – chaining the vulnerabilities to conduct cyber espionage attacks.
“We are fortunate enough to have caught these vulnerabilities early – without having discovered any malicious uses in the wild of these exploits. However, datacentres are attractive targets for cyber criminals due to the number of attack vectors and ability to scale their attacks once a foothold has been achieved,” wrote the Trellix team
“Thus, we consider it imperative that we continue this research, and coordinate with datacentre software and hardware vendors, to address and disclose potential threats to such a core part of our IT infrastructure.”
Update immediately
With the release of patches from both organisations, users of CyberPower PowerPanel Enterprise DCIM should update to version 2.6.9, and users of Dataprobe iBoot PDU to version 1.44.08042023, immediately. You may also wish to subscribe to future security update notices if you have not already done so.
Users who may be exposed are additionally advised to ensure their PowerPanel Enterprise or iBoot PDU are not exposed to the internet, and in the case of iBoot users, to disable remote access via the Dataprobe cloud.
Users should also rotate all passwords associated with user accounts and revoke any sensitive information stored on both appliances.
Quinn and Chick wrote: “We applaud both CyberPower and Dataprobe for their willingness and expediency in working with our team following the discovery of these vulnerabilities.
“Their responsiveness in creating protections for these vulnerabilities and releasing a patch for their customers shows true organisational maturity and drive to improve security across the entire industry.”