Multiple Flaws in CyberPower and Dataprobe Products Put Data Centers at Risk

Multiple security vulnerabilities impacting CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe’s iBoot Power Distribution Unit (PDU) could be potentially exploited to gain unauthenticated access to these systems and inflict catastrophic damage in target environments.

The nine vulnerabilities, from CVE-2023-3259 through CVE-2023-3267, carry severity scores ranging from 6.7 to 9.8, enabling threat actors to shut down entire data centers and compromise data center deployments to steal data or launch massive attacks at a massive scale.

“An attacker could chain these vulnerabilities together to gain full access to these systems,” Trellix security researchers Sam Quinn, Jesse Chick, and Philippe Laulheret said in a report shared with The Hacker News.

“Furthermore, both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connected data center devices and enterprise systems.”

The findings were presented at the DEFCON security conference today. There is no evidence that these shortcomings were abused in the wild. The list of flaws, which have been addressed in version 2.6.9 of PowerPanel Enterprise software and version 1.44.08042023 of the Dataprobe iBoot PDU firmware, is below –

Dataprobe iBoot PDU –

• CVE-2023-3259 (CVSS score: 9.8) – Deserialization of untrusted data, leading to authentication bypass
• CVE-2023-3260 (CVSS score: 7.2) – OS command injection, leading to authenticated remote code execution
• CVE-2023-3261 (CVSS score: 7.5) – Buffer overflow, leading to denial-of-service (DoS)
• CVE-2023-3262 (CVSS score: 6.7) – Use of hard-coded credentials
• CVE-2023-3263 (CVSS score: 7.5) – Authentication bypass by alternate name

CyberPower PowerPanel Enterprise –

• CVE-2023-3264 (CVSS score: 6.7) – Use of hard-coded credentials
• CVE-2023-3265 (CVSS score: 7.2) – Improper neutralization of escape, meta, or control sequences, leading to authentication bypass
• CVE-2023-3266 (CVSS score: 7.5) – Improperly Implemented Security Check for Standard, leading to authentication bypass
• CVE-2023-3267 (CVSS score: 7.5) – OS command injection, leading to authenticated remote code execution

Successful exploitation of the aforementioned flaws could impact critical infrastructure deployments that rely on data centers, resulting in shutdowns with a “flip of a switch,” conduct widespread ransomware, DDoS or wiper attacks, or conduct cyber espionage.

“A vulnerability on a single data center management platform or device can quickly lead to a complete compromise of the internal network and give threat actors a foothold to attack any connected cloud infrastructure further,” the researchers said.