Special Features

Black Hat and DEF CON

Let's play... Force off the power to someone else's datacenter systems

Trellix bods say it's not that hard to do, thanks to these vulnerabilities


DEF CON It would be relatively easy for miscreants to break into critical datacenter power management gear, shut off electricity supplies to multiple connected devices, and disrupt all kinds of services — from critical infrastructure to business applications — all at the press of a button.

This claim was made by Trellix security researchers Sam Quinn and Jesse Chick, who found nine bugs in CyberPower's PowerPanel Enterprise DCIM and five vulnerabilities in Dataprobe's iBoot Power Distribution Unit (PDU), and detailed their exploits at DEF CON 31 today.

In their talk, and accompanying research, they showed how network intruders could cut electricity to datacenter equipment – servers, switches, and the like – connected to vulnerable power management devices.

Or, they told The Register, criminals could chain these vulnerabilities together to do something a little more stealthy and long-game-ish, such as open backdoors on the supply equipment, and deploy spyware or some type of destructive malware.

Both vendors, CyberPower and Dataprobe, released fixes to address the flaws in the lead-up to DEF CON and after working with the researchers. Users can update to CyberPower DCIM version 2.6.9 of their PowerPanel Enterprise software, and the latest 1.44.08042023 version [firmware image] of the Dataprobe iBoot PDU firmware to plug the holes.

"Datacenters are an under-researched aspect of critical infrastructure," Quinn told The Register. While Trellix focused on two commonly used power management and supply products from two manufacturers, there are plenty more boxes from other suppliers to explore, making this research area "ripe for conquest," Chick said.

CyberPower's DCIM gear allows IT teams to manage datacenter infrastructure via the cloud, and it's commonly used by companies managing on-premises server deployments to larger, co-located datacenters, we're told.

The duo found four bugs in the DCIM platform:

Miscreants could use any of the first three CVEs to bypass authentication checks, gain access to the management console, and shut down devices within datacenters. A miscreant would need to be able to connect to the console, we note.

"That actually has quite a devastating amount of cost," Quinn said, citing statistics from Uptime Institute that found 25 percent of datacenter outages cost more than $1 million, while 45 percent cost between $100,000 and $1 million. "Simply turning off devices is quite an impact."

Shutting down datacenter devices via the Dataprobe iBoot PDU vulnerabilities is similarly easy, according to the researchers, provided you can reach its management interface.

The team found five bugs in this product:

"The character of the vulnerabilities that we found in both products was actually very, very similar since they both have this web based management interface," Chick said. "The task number one would be to bypass authentication such that we can carry out actions with administrator privileges — that in itself is enough to do a sufficient amount of damage."

As such, bypassing authentication in the PDU would enable a miscreant to turn power on and off to server racks, network switches, or anything else connected to that device, he added.

"But once we are able to bypass authentication and access those restricted endpoints, we can achieve code execution on the underlying operating system and install malware," Chick said.

The Trellix team hasn't developed proof-of-concept exploits that could, for instance, be used to deploy malware across a datacenter via the above holes — that's something for future research.

"But that would be how you would accomplish things like corporate espionage," Chick said. "You would want to install some kind of a tool that would monitor network traffic or, or collect logs, harvest credentials, and that kind of thing."

Miscreants could do this by chaining the authentication bypass flaws with the OS command injection to gain root access on the power supply gear. And from there, they could cause other mischief and havoc.

The iBoot PDU can be configured to send emails via an external mail server. The researchers were able to get a compromised unit's SMTP server username and password so that they could connect to that mail server themselves and send messages as the device.

"That opens the door for phishing attempts from legitimate email accounts for this PDU that could be devastating," Quinn said.

Mass malware deployment or corporate espionage would be a little easier to pull off via PDU exploits, according to the team because of a couple key differences compared to the DCIM.

While the DCIM runs on a typical sever, probably protected by some type of antivirus, the PDU is an embedded device running Linux. If an attacker is able to install malware on the PDU's underlying Linux OS, it's going to be more difficult — and probably take longer — to detect.

"That would give a potential attacker what bit of latitude to pivot to adjacent devices and harvest more information or cause more damage to devices beyond just just PDU within that datacenter environment," Chick said.

We've asked Dataprobe and CyberPower for further comment. ®

Send us news
14 Comments

Google now 'third-largest' in datacenter processors

Custom silicon mounting up, says report from semiconductor researcher TechInsights

Wanna curb datacenter outages? Try combating burnout with shorter shifts

If hiring more people to work fewer hours isn't appealing, you could always make a robot do it

Google's €1B Finnish datacenter expansion to heat the local community

AI might take your job, but you'll be toasty warm while you starve

Datacenters looking to renewables, nuclear, and gas, in quest for more power

Bit barns might end up adding to the grid's capacity

Nvidia PUE-PUEs datacenter efficiency ratings, calls for application-specific metrics

What good is great power use effectiveness if your DC is packed with inefficient kit?

Microsoft fixes a bug abused in QakBot attacks plus a second under exploit

Plus: Google Chrome, Apple bugs also exploited in the wild

Bayer and 12 other major drug companies caught up in Cencora data loss

Plus: US water systems fail at cyber security

Underwater datacenters could sink to sound wave sabotage

Ensure there are no sperm whales in the area

Here's yet more ransomware using BitLocker against Microsoft's own users

ShrinkLocker throws steel and vaccine makers into the hurt locker

Ohio power plants want special tariffs on datacenters to protect regional grid

Server operators may need to pay up front, even for electricity they don't need yet

AMD's baby Epycs are nothing more than Ryzens in disguise

Not content with stealing share from Intel at the high-end, the House of Zen is going low

Among AI infrastructure hopefuls, Qualcomm has become an unlikely ally

The enemy of my enemy is my best friend