It’s clear that protecting the data center infrastructure that supports so many functions of our society is paramount. The Trellix Advanced Research Center regularly identifies critical vulnerabilities to expose and reduce attack surfaces. In alignment with the recently announced 2023 National Cybersecurity Strategy, our team investigated several data center software platforms and hardware technologies to help protect national critical infrastructures and drive security resilience across the digital ecosystem.
During this practice, we found four vulnerabilities in Cyber Power’s Data Center Infrastructure Management (DCIM) platform and five vulnerabilities in Data probe’s iBoot Power Distribution Unit (PDU).An attacker could chain these vulnerabilities together to gain full access to these systems – which alone could be leveraged to commit catastrophic damage – as well as remote code injection on the data center hardware to create a backdoor on the device and an entry point to the broader network of connected data center devices and enterprise systems.
Cyber Power provides power protection and management systems for computer and server technologies. Their DCIM platform allows IT teams to manage, configure, and monitor the infrastructure within a data center through the cloud, serving as a single source of information and control for all devices. These platforms are commonly used by companies managing on-premise server deployments to larger, co-located data centers – like those from major cloud providers AWS, Google Cloud, Microsoft Azure, etc.
Data probe manufactures power management products that assist businesses in monitoring and controlling their equipment. Their iBoot PDU allows administrators to remotely manage the power supply to their devices and equipment via a simple and easy-to-use web application. These devices are typically found in small to mid-sized data centers and used by SMBs managing on-premise server deployments.
The team found four major vulnerabilities in Cyber Power’s DCIM and five critical vulnerabilities in the Data probe’s iBoot PDU:
- CyberPower DCIM:
- CVE-2023-3264: Use of Hard-coded Credentials (CVSS 6.7)
- CVE-2023-3265:Improper Neutralization of Escape, Meta, or Control Sequences (Auth Bypass; CVSS 7.2)
- CVE-2023-3266:Improperly Implemented Security Check for Standard (Auth Bypass; CVSS 7.5)
- CVE-2023-3267:OS Command Injection (Authenticated RCE; CVSS 7.5)
- Data probe iBoot PDU:
- CVE-2023-3259:Deserialization of Untrusted Data (Auth Bypass; CVSS 9.8)CVE-2023-3260:OS Command Injection (Authenticated RCE; CVSS 7.2)CVE-2023-3261: Buffer Overflow (DOS; CVSS 7.5)CVE-2023-3262: Use of Hard-coded Credentials (CVSS 6.7)
- CVE-2023-3263:Authentication Bypass by Alternate Name (Auth Bypass; CVSS 7.5)
In a world growing ever reliant on massive amounts of data for business operations, critical infrastructure, and basic internet activities, major vulnerabilities in the data centers making all this possible is a large risk to daily society. Vulnerabilities that enable cybercriminals to slowly infect entire data center deployments to steal key data and information or utilize compromised resources to initiate attacks at a global scale could be leveraged for massive damage. The threats and risks to both consumers and enterprises are high.
Below are some examples of the level of damage a malicious threat actor could do when utilize exploits of this level across numerous data centers:
- Power Off: Through access to these power management systems, even the simple act of turning the data center off would be significant. Websites, business applications, consumer technologies, and critical infrastructure deployments all rely on these data centers to operate. A threat actor could shut that all down for days at a time with the simple “flip of a switch” in dozens of compromised data centers. Further more, manipulation of the power management can be used to damage the hardware devices themselves –making them far less effective if not inoperable.
- Malware at Scale: Using these platforms to create a backdoor on the data center equipment provides bad actors a foothold to compromise a huge number of systems and devices. Some data centers host thousands of servers, and connect to hundreds of various business applications. Malicious attackers could slowly compromise both the data center and the business networks connected to it. Malware across such a huge scale of devices could be leveraged for massive ransomware, DDoS, or Wiper attacks – potentially even more widespread than those of SuxNet, Mirai BotNet, or WannaCry.
- Digital Espionage:In addition to the previously mentioned malicious activities one would expect of cybercriminals, APT and nation-state backed threat actors could leverage these exploits to conduct cyberespionage attacks. The 2018 concerns of spy chips in data centers would become a digital reality if spyware installed in data centers worldwide were to leveraged for cyber espionage to inform foreign nation states of sensitive information.
As discussed in the June edition of Trellix’s Cyber Threat Report, cloud infrastructure attacks continue to rise following the digital transformation trend many organizations adopted to support work-from-home or hybrid workforces during the COVID-19 pandemic. As more and more businesses seek to expand their on-premises deployments or turn to a more affordable and scalable cloud infrastructure from Amazon, Microsoft, Google, and others, this has created a growing attack vector for threat actors.
Though attackers are also escalating usage of more sophisticated attacks on data center infrastructure, like MFA attacks, Proxies, and API Execution, the most prominent attack technique continues to be through Valid Accounts, which is more than double the 2nd most commonly used attack vector. The risk of “rogue access” to organizations is very real, as cybercriminals utilize legitimate account logins–whether bought and sold on the dark web or acquired through exploits like those discussed in this research – to enterprise platforms and business websites to infiltrate and conduct attacks.
Furthermore, analysis of the “Leak Site” data of many prominent cybercriminal groups indicates that small and medium sized businesses tend to be the primary victims of their attacks. However, even these smaller organizations offer threat actors high “value” in compromising their data center infrastructure. A vulnerability ona single data center management platform or device can quickly lead to a complete compromise of the internal network and give threat actors a foothold to attack any connected cloud infrastructure further.
We are fortunate enough to have caught these vulnerabilities early –without having discovered any malicious uses in the wild of these exploits. However, data centers are attractive targets for cybercriminals due to the number of attack vectors and ability to scale their attacks once a foothold has been achieved. Thus, we consider it imperative that we continue this research, and coordinate with data center software and hardware vendors, to address and disclose potential threats to such a core part of our IT infrastructure.