The Threat Lurking in Data Centers – Hack Power Management Systems, Take All the Power
August 2023 by Sam Quinn, Jesse Chick, and Philippe Laulheret
In a modern working environment where many employees are working from home or in hybrid office environments, businesses small and large have turned to digital transformation and cloud services to support new working habits and operational efficiencies. Connected devices in the home are more prevalent than ever, and consumers increasingly rely on their smartphones and internet services for daily tasks. An uncountable number of government organizations and services similarly rely on online tools and cloud applications to support their daily operations.
The world has become increasingly reliant on data and the data center infrastructure that supports the foundation of our internet services. From small server houses businesses have on-premises to hyperscale colocation data centers operated by Amazon, Google, Microsoft, or another major enterprise, today’s data centers are a critical attack vector for cybercriminals wanting to spread malware, blackmail businesses for ransom, conduct corporate or foreign espionage, or simply shut down large swaths of the Internet.
This blog is the first of a multi-part series focused on vulnerability discovery in data centers, investigating several widely used management platforms and technologies present in data centers. Thus, this research involves several vendors with whom our team has coordinated to disclose and patch these vulnerabilities to protect this incredibly critical industry. For this first blog, our team specifically looked into power management and supply technologies commonly found in data centers.
It’s clear that protecting the data center infrastructure that supports so many functions of our society is paramount. The Trellix Advanced Research Center regularly identifies critical vulnerabilities to expose and reduce attack surfaces. In alignment with the recently announced 2023 National Cybersecurity Strategy, our team investigated several data center software platforms and hardware technologies to help protect national critical infrastructures and drive security resilience across the digital ecosystem.
During this practice, we found four vulnerabilities in CyberPower’s Data Center Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe’s iBoot Power Distribution Unit (PDU). An attacker could chain these vulnerabilities together to gain full access to these systems – which alone could be leveraged to commit substantial damage. Furthermore, both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connected data center devices and enterprise systems.
CyberPower is a leading vendor of data center equipment and infrastructure solutions, specializing in power protection technologies and power management systems. Their DCIM platform allows IT teams to manage, configure, and monitor the infrastructure within a data center through the cloud, serving as a single source of information and control for all devices. These platforms are commonly used by companies managing on-premise server deployments to larger, co-located data centers – like those from major cloud providers AWS, Google Cloud, Microsoft Azure, etc.
According to Sunbird Software, 83% of enterprise data center operators have increased their rack densities in the last three years – and thus are looking to tools like DCIM platforms to help manage their infrastructure, prevent outages, and maintain uptime. This is reflected in the market predictions. The DCIM market reached $2 billion in 2022 and is projected to continue growing at a CAGR of 20%, reaching $20 billion in 2032. Thus, DCIM services like CyberPowers are adopted widely across the entire industry.
Dataprobe manufactures power management products that assist businesses in monitoring and controlling their infrastructure. Their iBoot PDU allows administrators to remotely manage the power supply to their devices and equipment via a simple and easy-to-use web application. Dataprobe has thousands of devices across numerous industries – from deployments in data centers, travel and transportation infrastructure, financial institutions, smart city IoT installations, and government agencies.
The iBoot PDU specifically has been in service since 2016, with thousands of these PDUs utilized for tasks including digital signage, telecommunications, remote site management, and much more. Back in 2021, exposure management company Censys found that over 750 iBoot PDUs were reachable over the internet. As this search didn’t include devices managed by a cloud service behind a firewall, the actual number of internet accessible iBoot PDUs was likely much higher.
The team found four major vulnerabilities in CyberPower’s DCIM and five critical vulnerabilities in the Dataprobe’s iBoot PDU:
• CyberPower DCIM:
o CVE-2023-3264: Use of Hard-coded Credentials (CVSS 6.7)
o CVE-2023-3265: Improper Neutralization of Escape, Meta, or Control Sequences (Auth Bypass; CVSS 7.2)
o CVE-2023-3266: Improperly Implemented Security Check for Standard (Auth Bypass; CVSS 7.5)
o CVE-2023-3267: OS Command Injection (Authenticated RCE; CVSS 7.5)
• Dataprobe iBoot PDU:
o CVE-2023-3259: Deserialization of Untrusted Data (Auth Bypass; CVSS 9.8)
o CVE-2023-3260: OS Command Injection (Authenticated RCE; CVSS 7.2)
o CVE-2023-3261: Buffer Overflow (DOS; CVSS 7.5)
o CVE-2023-3262: Use of Hard-coded Credentials (CVSS 6.7)
o CVE-2023-3263: Authentication Bypass by Alternate Name (Auth Bypass; CVSS 7.5)
In a world growing ever-reliant on massive amounts of data for business operations, critical infrastructure, and basic internet activities, major vulnerabilities in the data centers making all this possible is a large risk to daily society. Vulnerabilities that enable cybercriminals to slowly infect entire data center deployments to steal key data and information or utilize compromised resources to initiate attacks at a global scale could be leveraged for massive damage. The threats and risks to both consumers and enterprises is high.
Below are some examples of the level of damage a malicious threat actor could do when utilizing exploits of this level across numerous data centers:
• Power Off: Through access to these power management systems, even the simple act of cutting power to devices connected to a PDU would be significant. Websites, business applications, consumer technologies, and critical infrastructure deployments all rely on the availability of these data centers to operate. A threat actor could cause significant disruption for days at a time with the simple "flip of a switch" in dozens of compromised data centers.
o Furthermore, manipulation of the power management can be used to damage the hardware devices themselves – making them far less effective if not inoperable. Data from the Uptime Institute shows that the costs of data center outages are on the rise. Today, 25% of outages cost more than $1 million, and 45% cost between $100,000 and $1 million. This translates to thousands or tens of thousands of dollars lost for every minute an organization’s data center doesn’t have power.
• Malware at Scale: Using these platforms to create a backdoor on the data center equipment provides bad actors a foothold to compromise a huge number of systems and devices. Some data centers host thousands of servers and connect to hundreds of various business applications. Malicious attackers could slowly compromise both the data center and the business networks connected to it.
o Malware across such a huge scale of devices could be leveraged for massive ransomware, DDoS, or Wiper attacks – potentially even more widespread than those of StuxNet, Mirai BotNet, or WannaCry.
• Digital Espionage: In addition to the previously mentioned malicious activities one would expect of cybercriminals, APTs and nation-state backed threat actors could leverage these exploits to conduct cyberespionage attacks.
o The 2018 concerns of spy chips in data centers would become a digital reality if spyware installed in data centers worldwide were to be leveraged for cyber espionage to inform foreign nation-states of sensitive information.
As discussed in the June edition of Trellix’s CyberThreat Report, cloud infrastructure attacks continue to rise following the digital transformation trend many organizations adopted to support work-from-home or hybrid workforces during the COVID-19 pandemic. As more and more businesses seek to expand their on-premises deployments or turn to a more affordable and scalable cloud infrastructure from Amazon, Microsoft, Google, and others, this has created a growing attack vector for threat actors.
Though attackers are also escalating the usage of more sophisticated attacks on data center infrastructure, like MFA attacks, proxies, and API execution, the most prominent attack technique continues to be through valid accounts, which is more than double the 2nd most commonly used attack vector. The risk of "rogue access" to organizations is very real, as cybercriminals utilize legitimate account logins – whether bought and sold on the dark web or acquired through exploits like those discussed in this research – to enterprise platforms and business websites to infiltrate and conduct attacks.
Furthermore, analysis of the "Leak Site" data of many prominent cybercriminal groups indicates that small and medium sized businesses tend to be the primary victims of their attacks. However, even these smaller organizations offer threat actors high "value" in compromising their data center infrastructure. A vulnerability on a single data center management platform or device can quickly lead to a complete compromise of the internal network and give threat actors a foothold to attack any connected cloud infrastructure further.
We are fortunate enough to have caught these vulnerabilities early – without having discovered any malicious uses in the wild of these exploits. However, data centers are attractive targets for cybercriminals due to the number of attack vectors and the ability to scale their attacks once a foothold has been achieved. Thus, we consider it imperative to continue this research and coordinate with data center software and hardware vendors to address and disclose potential threats to such a core part of our IT infrastructure.
As of publication of this blog, both Dataprobe and CyberPower have released fixes for these vulnerabilities with CyberPower DCIM version 2.6.9 of their PowerPanel Enterprise software and the latest 1.44.08042023 version of the Dataprobe iBoot PDU firmware. We strongly urge all potentially impacted customers to download and install these patches immediately.
In addition to the official patches, we would suggest taking additional steps for any devices or platforms potentially exposed to 0-day exploitation by these vulnerable products:
• Ensure that your PowerPanel Enterprise or iBoot PDU are not exposed to the wider Internet. Each should be reachable only from within your organization’s secure intranet.
o In the case of the iBoot PDU, we suggest disabling remote access via Dataprobe’s cloud service as an added precaution.
• Modify the passwords associated with all user accounts and revoke any sensitive information stored on both appliances that may have been leaked.
• Update to the latest version of PowerPanel Enterprise or install the latest firmware for the iBoot PDU and subscribe to the relevant vendor’s security update notifications.
o Although this measure in and of itself will not reduce risk of attack via the vulnerabilities described in this document, updating all your software to the latest and greatest version promptly is the best practice for ensuring your window of exposure is as short as possible in this and future cases.
• Finally, Trellix Customers are also protected with endpoint (EDR), and network (NX, Helix) detections of these vulnerabilities.
Thanks to the explosion of IoT devices and AI applications in the past few decades, connected technologies today are a part of nearly every aspect of daily life – from the home to the enterprise. The services and capabilities enabled through the latest internet technologies greatly influence societal and cultural changes, as was experienced throughout the COVID-19 pandemic.
With how incredibly significant these services are for consumers and businesses, it’s clear that cybersecurity for the data centers making them possible is essential. It isn’t wrong to say today that proper cybersecurity posture and defenses for data centers are essential to the basic functioning of our economy and society. This level of importance makes them a target for threat actors looking to implement attacks on nation-states, ransom critical infrastructure, or conduct espionage for foreign nations.
Thus, the devices and software platforms that service data centers must remain secure and updated, and the vendors producing this hardware and software have processes in place for quick and efficient response following vulnerability disclosures.
We applaud both CyberPower and Dataprobe for their willingness and expediency in working with our team following the discovery of these vulnerabilities. Their responsiveness in creating protections for these vulnerabilities and releasing a patch for their customers shows true organizational maturity and drive to improve security across the entire industry.
This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. Trellix conducts research in accordance with its Vulnerability Reasonable Disclosure Policy | Trellix. Any attempt to recreate part or all of the activities described is solely at the user’s risk, and neither Trellix nor its affiliates will bear any responsibility or liability.