By Sam Quinn and Jesse Chick – August 14, 2023
In a post-COVID working environment where many employees are working from home or in hybrid office environments, businesses small and large have turned to digital transformation and cloud services to support new working habits and operational efficiencies. Connected devices in the home are more prevalent than ever, and consumers increasingly rely on their smartphones and internet services for daily tasks. An uncountable number of government organizations and services similarly rely on online tools and cloud applications to support their daily operations.
The world has become increasingly reliant on data and the data center infrastructure that supports the foundation of our internet services. From small server houses businesses have on-premises to hyperscale colocation data centers operated by Amazon, Google, Microsoft, or another major enterprise, today’s data centers are a critical attack vector for cybercriminals wanting to spread malware, blackmail businesses for ransom, conduct corporate or foreign espionage, or simply shut down large swaths of the Internet.
This blog is the first of a multi-part series focused on vulnerability discovery in data centers, investigating several widely used management platforms and technologies present in data centers. Thus, this research involves several vendors with whom our team has coordinated to disclose and patch these vulnerabilities to protect this incredibly critical industry. For this first blog, our team specifically looked into power management and supply technologies commonly found in data centers.
It’s clear that protecting the data center infrastructure that supports so many functions of our society is paramount. The Trellix Advanced Research Center regularly identifies critical vulnerabilities to expose and reduce attack surfaces. In alignment with the recently announced 2023 National Cybersecurity Strategy, our team investigated several data center software platforms and hardware technologies to help protect national critical infrastructures and drive security resilience across the digital ecosystem.
During this practice, we found four vulnerabilities in CyberPower’s Data Center Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe’s iBoot Power Distribution Unit (PDU). An attacker could chain these vulnerabilities together to gain full access to these systems – which alone could be leveraged to commit catastrophic damage – as well as remote code injection on the data center hardware to create a backdoor on the device and an entry point to the broader network of connected data center devices and enterprise systems.
CyberPower provides power protection and management systems for computer and server technologies. Their DCIM platform allows IT teams to manage, configure, and monitor the infrastructure within a data center through the cloud, serving as a single source of information and control for all devices. These platforms are commonly used by companies managing on-premise server deployments to larger, co-located data centers – like those from major cloud providers AWS, Google Cloud, Microsoft Azure, etc.
Dataprobe manufactures power management products that assist businesses in monitoring and controlling their equipment. Their iBoot PDU allows administrators to remotely manage the power supply to their devices and equipment via a simple and easy-to-use web application. These devices are typically found in small to mid-sized data centers and used by SMBs managing on-premise server deployments.
The team found four major vulnerabilities in CyberPower’s DCIM and five critical vulnerabilities in the Dataprobe’s iBoot PDU:
- CyberPower DCIM:
- CVE-2023-3264: Use of Hard-coded Credentials (CVSS 6.7)
- CVE-2023-3265: Improper Neutralization of Escape, Meta, or Control Sequences (Auth Bypass; CVSS 7.2)
- CVE-2023-3266: Improperly Implemented Security Check for Standard (Auth Bypass; CVSS 7.5)
- CVE-2023-3267: OS Command Injection (Authenticated RCE; CVSS 7.5)
- Dataprobe iBoot PDU:
- CVE-2023-3259: Deserialization of Untrusted Data (Auth Bypass; CVSS 9.8)
- CVE-2023-3260: OS Command Injection (Authenticated RCE; CVSS 7.2)
- CVE-2023-3261: Buffer Overflow (DOS; CVSS 7.5)
- CVE-2023-3262: Use of Hard-coded Credentials (CVSS 6.7)
- CVE-2023-3263: Authentication Bypass by Alternate Name (Auth Bypass; CVSS 7.5)
Impact
In a world growing ever reliant on massive amounts of data for business operations, critical infrastructure, and basic internet activities, major vulnerabilities in the data centers making all this possible is a large risk to daily society. Vulnerabilities that enable cybercriminals to slowly infect entire data center deployments to steal key data and information or utilize compromised resources to initiate attacks at a global scale could be leveraged for massive damage. The threats and risks to both consumers and enterprises is high.
Below are some examples of the level of damage a malicious threat actor could do when utilize exploits of this level across numerous data centers:
- Power Off: Through access to these power management systems, even the simple act of turning the data center off would be significant. Websites, business applications, consumer technologies, and critical infrastructure deployments all rely on these data centers to operate. A threat actor could shut that all down for days at a time with the simple “flip of a switch” in dozens of compromised data centers. Furthermore, manipulation of the power management can be used to damage the hardware devices themselves – making them far less effective if not inoperable.
- Malware at Scale: Using these platforms to create a backdoor on the data center equipment provides bad actors a foothold to compromise a huge number of systems and devices. Some data centers host thousands of servers, and connect to hundreds of various business applications. Malicious attackers could slowly compromise both the data center and the business networks connected to it. Malware across such a huge scale of devices could be leveraged for massive ransomware, DDoS, or Wiper attacks – potentially even more widespread than those of SuxNet, Mirai BotNet, or WannaCry.
- Digital Espionage: In addition to the previously mentioned malicious activities one would expect of cybercriminals, APT and nation-state backed threat actors could leverage these exploits to conduct cyberespionage attacks. The 2018 concerns of spy chips in data centers would become a digital reality if spyware installed in data centers worldwide were to leveraged for cyber espionage to inform foreign nation states of sensitive information.
As discussed in the June edition of Trellix’s CyberThreat Report, cloud infrastructure attacks continue to rise following the digital transformation trend many organizations adopted to support work-from-home or hybrid workforces during the COVID-19 pandemic. As more and more businesses seek to expand their on-premises deployments or turn to a more affordable and scalable cloud infrastructure from Amazon, Microsoft, Google, and others, this has created a growing attack vector for threat actors.
Though attackers are also escalating usage of more sophisticated attacks on data center infrastructure, like MFA attacks, Proxies, and API Execution, the most prominent attack technique continues to be through Valid Accounts, which is more than double the 2nd most commonly used attack vector. The risk of “rogue access” to organizations is very real, as cybercriminals utilize legitimate account logins – whether bought and sold on the dark web or acquired through exploits like those discussed in this research – to enterprise platforms and business websites to infiltrate and conduct attacks.
Furthermore, analysis of the “Leak Site” data of many prominent cybercriminal groups indicates that small and medium sized businesses tend to be the primary victims of their attacks. However, even these smaller organizations offer threat actors high “value” in compromising their data center infrastructure. A vulnerability on a single data center management platform or device can quickly lead to a complete compromise of the internal network and give threat actors a foothold to attack any connected cloud infrastructure further.
We are fortunate enough to have caught these vulnerabilities early – without having discovered any malicious uses in the wild of these exploits. However, data centers are attractive targets for cybercriminals due to the number of attack vectors and ability to scale their attacks once a foothold has been achieved. Thus, we consider it imperative that we continue this research, and coordinate with data center software and hardware vendors, to address and disclose potential threats to such a core part of our IT infrastructure.
Our team disclosed more details of how these vulnerabilities were discovered and could have been exploited in our presentation at DEFCON at 2pm Pacific Time on Saturday, August 12.
Recommendation
As of this writing, neither Cyberpower nor Dataprobe have released security updates to address these vulnerabilities. In lieu of official patches, we provide the following recommendations to those who are potentially exposed to 0-day exploitation by these vulnerable products:
- Ensure that your PowerPanel Enterprise or iBoot PDU are not exposed to the wider Internet. Each should be reachable only from within your organization’s secure intranet.
- In the case of the iBoot PDU, we suggest disabling remote access via Dataprobe’s cloud service as an added precaution.
- Modify the passwords associated with all user accounts and revoke any sensitive information stored on both appliances that may have been leaked.
- Update to the latest version of PowerPanel Enterprise or install the latest firmware for the iBoot PDU and subscribe to the relevant vendor’s security update notifications.
- Although this measure in and of itself will not reduce risk of attack via the vulnerabilities described in this document, updating all your software to the latest and greatest version promptly is the best practice for ensuring your window of exposure is as short as possible in this and future cases.
Conclusion
Thanks to the explosion of IoT devices and AI applications in the past few decades, connected technologies today are a part of nearly every aspect of daily life – from the home to the enterprise. The services and capabilities enabled through the latest internet technologies greatly influence societal and cultural changes, as was experienced throughout the COVID-19 pandemic.
With how incredibly significant these services are for consumers and businesses, it’s clear that cybersecurity for the data centers making them possible is essential. It isn’t wrong to say today that proper cybersecurity posture and defenses for data centers are essential to the basic functioning of our economy and society. This level of importance makes them a target for threat actors looking to implement attacks on nation-states, ransom critical infrastructure, or conduct espionage for foreign nations.
Thus, the devices and software platforms that service data centers must remain secure and updated, and the vendors producing this hardware and software have processes in place for quick and efficient response following vulnerability disclosures.
We applaud both CyberPower and Dataprobe for their willingness and expediency in working with our team following the discovery of these vulnerabilities. Their responsiveness in creating protections for these vulnerabilities and releasing a patch for their customers shows true organizational maturity and drive to improve security across the entire industry.
