Let's play... Force off the power to someone else's datacenter systems
Trellix bods say it's not that hard to do, thanks to these vulnerabilities
DEF CON It would be relatively easy for miscreants to break into critical datacenter power management gear, shut off electricity supplies to multiple connected devices, and disrupt all kinds of services — from critical infrastructure to business applications — all at the press of a button.
This claim was made by Trellix security researchers Sam Quinn and Jesse Chick, who found nine bugs in CyberPower's PowerPanel Enterprise DCIM and five vulnerabilities in Dataprobe's iBoot Power Distribution Unit (PDU), and detailed their exploits at DEF CON 31 today.
In their talk, and accompanying research, they showed how network intruders could cut electricity to datacenter equipment – servers, switches, and the like – connected to vulnerable power management devices.
Or, they told The Register, criminals could chain these vulnerabilities together to do something a little more stealthy and long-game-ish, such as open backdoors on the supply equipment, and deploy spyware or some type of destructive malware.
Both vendors, CyberPower and Dataprobe, released fixes to address the flaws in the lead-up to DEF CON and after working with the researchers. Users can update to CyberPower DCIM version 2.6.9 of their PowerPanel Enterprise software, and the latest 1.44.08042023 version [firmware image] of the Dataprobe iBoot PDU firmware to plug the holes.
"Datacenters are an under-researched aspect of critical infrastructure," Quinn told The Register. While Trellix focused on two commonly used power management and supply products from two manufacturers, there are plenty more boxes from other suppliers to explore, making this research area "ripe for conquest," Chick said.
CyberPower's DCIM gear allows IT teams to manage datacenter infrastructure via the cloud, and it's commonly used by companies managing on-premises server deployments to larger, co-located datacenters, we're told.
The duo found four bugs in the DCIM platform:
- CVE-2023-3264: Use of hard-coded credentials (CVSS severity 6.7 out of 10)
- CVE-2023-3265: Improper neutralization of escape, meta, or control sequences (authentication bypass; CVSS 7.2)
- CVE-2023-3266: Improperly implemented security check for standard (another bypass; CVSS 7.5)
- CVE-2023-3267: OS command injection (authenticated remote-code execution; CVSS 7.5)
Miscreants could use any of the first three CVEs to bypass authentication checks, gain access to the management console, and shut down devices within datacenters. A miscreant would need to be able to connect to the console, we note.
"That actually has quite a devastating amount of cost," Quinn said, citing statistics from Uptime Institute that found 25 percent of datacenter outages cost more than $1 million, while 45 percent cost between $100,000 and $1 million. "Simply turning off devices is quite an impact."
Shutting down datacenter devices via the Dataprobe iBoot PDU vulnerabilities is similarly easy, according to the researchers, provided you can reach its management interface.
The team found five bugs in this product:
- CVE-2023-3259: Deserialization of untrusted data (authentication bypass; CVSS 9.8)
- CVE-2023-3260: OS command injection (authenticated remote-code execution; CVSS 7.2)
- CVE-2023-3261: Buffer overflow (denial-of-service; CVSS 7.5)
- CVE-2023-3262: Use of hard-coded credentials (CVSS 6.7)
- CVE-2023-3263: Authentication bypass by alternate name (another bypass; CVSS 7.5)
"The character of the vulnerabilities that we found in both products was actually very, very similar since they both have this web based management interface," Chick said. "The task number one would be to bypass authentication such that we can carry out actions with administrator privileges — that in itself is enough to do a sufficient amount of damage."
As such, bypassing authentication in the PDU would enable a miscreant to turn power on and off to server racks, network switches, or anything else connected to that device, he added.
"But once we are able to bypass authentication and access those restricted endpoints, we can achieve code execution on the underlying operating system and install malware," Chick said.
The Trellix team hasn't developed proof-of-concept exploits that could, for instance, be used to deploy malware across a datacenter via the above holes — that's something for future research.
"But that would be how you would accomplish things like corporate espionage," Chick said. "You would want to install some kind of a tool that would monitor network traffic or, or collect logs, harvest credentials, and that kind of thing."
Miscreants could do this by chaining the authentication bypass flaws with the OS command injection to gain root access on the power supply gear. And from there, they could cause other mischief and havoc.
- Microsoft: Codesys PLC bugs could be exploited to 'shut down power plants'
- There's a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack
- Want to pwn a satellite? Turns out it's surprisingly easy
- Say hello to Downfall, another data-leaking security hole in several years of Intel chips
The iBoot PDU can be configured to send emails via an external mail server. The researchers were able to get a compromised unit's SMTP server username and password so that they could connect to that mail server themselves and send messages as the device.
"That opens the door for phishing attempts from legitimate email accounts for this PDU that could be devastating," Quinn said.
Mass malware deployment or corporate espionage would be a little easier to pull off via PDU exploits, according to the team because of a couple key differences compared to the DCIM.
While the DCIM runs on a typical sever, probably protected by some type of antivirus, the PDU is an embedded device running Linux. If an attacker is able to install malware on the PDU's underlying Linux OS, it's going to be more difficult — and probably take longer — to detect.
"That would give a potential attacker what bit of latitude to pivot to adjacent devices and harvest more information or cause more damage to devices beyond just just PDU within that datacenter environment," Chick said.
We've asked Dataprobe and CyberPower for further comment. ®