Two widely used data center solutions, CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe’s iBoot Power Distribution Unit (PDU), have been found to have significant security vulnerabilities by researchers.
By exploiting these vulnerabilities consecutively, an attacker could obtain complete control over these systems, giving them the ability to cause significant harm. Trellix researchers have noted that both products are susceptible to remote code injection, which could potentially enable the creation of a backdoor or serve as an entry point to the larger network of connected data center devices and enterprise systems.
CyberPower’s PowerPanel Enterprise DCIM has been discovered to have multiple vulnerabilities, including three authentication bypass flaws (CVE-2023-3264, CVE-2023-3265, CVE-2023-3266) and an OS command injection bug that makes it susceptible to authenticated Remote Code Execution (RCE) (CVE-2023-3267).
There are several vulnerabilities in the Dataprobe iBoot PDU that can be exploited in various ways. These vulnerabilities include the ability to bypass authentication (CVE-2023-3259, CVE-2023-3263), execute authenticated remote code via OS command injection (CVE-2023-3260), cause a denial of service (CVE-2023-3261), and manipulate the internal Postgres database (CVE-2023-3262).
This year’s DEF CON researchers have revealed further information.
CyberPower and Dataprobe have both recently launched updates addressing these vulnerabilities. We strongly recommend that customers update to version 2.6.9 of the PowerPanel Enterprise software and install the latest 1.44.08042023 version of the Dataprobe iBoot PDU firmware.