Startling vulnerabilities discovered in the Data Center Infrastructure Management (DCIM) platform of CyberPower’s PowerPanel Enterprise and Dataprobe’s iBoot Power Distribution Unit (PDU) have unveiled potential unauthenticated access risks, heralding possible catastrophic consequences within target environments. With nine vulnerabilities spanning from CVE-2023-3259 to CVE-2023-3267, threat actors could exploit these security gaps to orchestrate remote attacks with a profound impact.
The vulnerabilities’ severity, ranging from 6.7 to 9.8 on the CVSS scale, could empower attackers to incapacitate data centers, compromise valuable data, and even execute large-scale attacks.
Presented at the DEF CON security conference, these findings, a result of the collaborative efforts of Trellix security researchers Sam Quinn, Jesse Chick, and Philippe Laulheret, underscore the gravity of the situation. Exploiting these vulnerabilities could grant attackers full access, paving the way for eavesdropping on communications, compromising data center integrity, and potentially initiating widespread cyber attacks.
With the vulnerabilities effectively presenting an entry point to larger connected systems, the risks could have far-reaching consequences.
The vulnerabilities affect both CyberPower’s PowerPanel Enterprise and Dataprobe’s iBoot PDU. The former contains weaknesses that could lead to the use of hardcoded credentials, improper neutralization of escape sequences, and even OS command injections.
On the other hand, the latter is susceptible to issues such as deserialization of untrusted data, buffer overflow leading to denial-of-service, and improper authentication mechanisms. These weaknesses, if exploited, could result in the catastrophic shutdown of data centers, cyber espionage, and the launch of ransomware, DDoS, or wiper attacks.