Special Features

Black Hat and DEF CON

Let's play... Force off the power to someone else's datacenter systems

Trellix bods say it's not that hard to do, thanks to these vulnerabilities


DEF CON It would be relatively easy for miscreants to break into critical datacenter power management gear, shut off electricity supplies to multiple connected devices, and disrupt all kinds of services — from critical infrastructure to business applications — all at the press of a button.

This claim was made by Trellix security researchers Sam Quinn and Jesse Chick, who found nine bugs in CyberPower's PowerPanel Enterprise DCIM and five vulnerabilities in Dataprobe's iBoot Power Distribution Unit (PDU), and detailed their exploits at DEF CON 31 today.

In their talk, and accompanying research, they showed how network intruders could cut electricity to datacenter equipment – servers, switches, and the like – connected to vulnerable power management devices.

Or, they told The Register, criminals could chain these vulnerabilities together to do something a little more stealthy and long-game-ish, such as open backdoors on the supply equipment, and deploy spyware or some type of destructive malware.

Both vendors, CyberPower and Dataprobe, released fixes to address the flaws in the lead-up to DEF CON and after working with the researchers. Users can update to CyberPower DCIM version 2.6.9 of their PowerPanel Enterprise software, and the latest 1.44.08042023 version [firmware image] of the Dataprobe iBoot PDU firmware to plug the holes.

"Datacenters are an under-researched aspect of critical infrastructure," Quinn told The Register. While Trellix focused on two commonly used power management and supply products from two manufacturers, there are plenty more boxes from other suppliers to explore, making this research area "ripe for conquest," Chick said.

CyberPower's DCIM gear allows IT teams to manage datacenter infrastructure via the cloud, and it's commonly used by companies managing on-premises server deployments to larger, co-located datacenters, we're told.

The duo found four bugs in the DCIM platform:

Miscreants could use any of the first three CVEs to bypass authentication checks, gain access to the management console, and shut down devices within datacenters. A miscreant would need to be able to connect to the console, we note.

"That actually has quite a devastating amount of cost," Quinn said, citing statistics from Uptime Institute that found 25 percent of datacenter outages cost more than $1 million, while 45 percent cost between $100,000 and $1 million. "Simply turning off devices is quite an impact."

Shutting down datacenter devices via the Dataprobe iBoot PDU vulnerabilities is similarly easy, according to the researchers, provided you can reach its management interface.

The team found five bugs in this product:

"The character of the vulnerabilities that we found in both products was actually very, very similar since they both have this web based management interface," Chick said. "The task number one would be to bypass authentication such that we can carry out actions with administrator privileges — that in itself is enough to do a sufficient amount of damage."

As such, bypassing authentication in the PDU would enable a miscreant to turn power on and off to server racks, network switches, or anything else connected to that device, he added.

"But once we are able to bypass authentication and access those restricted endpoints, we can achieve code execution on the underlying operating system and install malware," Chick said.

The Trellix team hasn't developed proof-of-concept exploits that could, for instance, be used to deploy malware across a datacenter via the above holes — that's something for future research.

"But that would be how you would accomplish things like corporate espionage," Chick said. "You would want to install some kind of a tool that would monitor network traffic or, or collect logs, harvest credentials, and that kind of thing."

Miscreants could do this by chaining the authentication bypass flaws with the OS command injection to gain root access on the power supply gear. And from there, they could cause other mischief and havoc.

The iBoot PDU can be configured to send emails via an external mail server. The researchers were able to get a compromised unit's SMTP server username and password so that they could connect to that mail server themselves and send messages as the device.

"That opens the door for phishing attempts from legitimate email accounts for this PDU that could be devastating," Quinn said.

Mass malware deployment or corporate espionage would be a little easier to pull off via PDU exploits, according to the team because of a couple key differences compared to the DCIM.

While the DCIM runs on a typical sever, probably protected by some type of antivirus, the PDU is an embedded device running Linux. If an attacker is able to install malware on the PDU's underlying Linux OS, it's going to be more difficult — and probably take longer — to detect.

"That would give a potential attacker what bit of latitude to pivot to adjacent devices and harvest more information or cause more damage to devices beyond just just PDU within that datacenter environment," Chick said.

We've asked Dataprobe and CyberPower for further comment. ®

Send us news
14 Comments

Supermicro crams 18 GPUs into a 3U AI server that's a little slow by design

Can handle edge inferencing or run a 64 display command center

Red team hacker on how she 'breaks into buildings and pretends to be the bad guy'

Alethe Denis exposes tricks that made you fall for that return-to-office survey

AI’s energy appetite too big for Texas grid, regulators warn

Datacenters coming online in the next 15 months will need to supply at least some of their own power

So how's Microsoft's Secure Future Initiative going?

34,000 engineers pledged to the cause, but no word on exec pay

You're right not to rush into running AMD, Intel's new manycore monster CPUs

They put more risk in a single box than most of us are equipped to handle

Submer dives into $55.5M funding to cool down hot-blooded AI datacenters

Tech's consumption of water and energy driving interest in liquid cooling

NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great

Logjam 'hurting infosec processes world over' one expert tells us as US body blows its own Sept deadline

China reportedly tells local AI buyers to ignore Nvidia

Plus: Google, Oracle, spend $9.5 billion on Asia datacenters; Philippines to tax clouds; Vietnam infosec praised; and more

Recall the Recall recall? Microsoft thinks it can make that Windows feature palatable

AI screengrab service to be opt-in, features encryption, biometrics, enclaves, more

That doomsday critical Linux bug: It's CUPS. May lead to remote hijacking of devices

No patches yet, can be mitigated, requires user interaction

T-Mobile US to cough up $31.5M after that long string of security SNAFUs

At least seven intrusions in five years? Yeah, those promises of improvement more than 'long overdue'

Chinese cyberspies reportedly breached Verizon, AT&T, Lumen

Salt Typhoon may have accessed court-ordered wiretaps and US internet traffic