A number of safety vulnerabilities impacting CyberPower’s PowerPanel Enterprise Information Heart Infrastructure Administration (DCIM) platform and Dataprobe’s iBoot Energy Distribution Unit (PDU) may very well be doubtlessly exploited to realize unauthenticated entry to those techniques and inflict catastrophic injury in goal environments.
The 9 vulnerabilities, from CVE-2023-3259 by means of CVE-2023-3267, carry severity scores starting from 6.7 to 9.8, enabling risk actors to close down whole information facilities and compromise information middle deployments to steal information or launch huge assaults at a large scale.
“An attacker might chain these vulnerabilities collectively to realize full entry to those techniques,” Trellix safety researchers Sam Quinn, Jesse Chick, and Philippe Laulheret mentioned in a report shared with The Hacker Information.
“Moreover, each merchandise are susceptible to distant code injection that may very well be leveraged to create a backdoor or an entry level to the broader community of related information middle units and enterprise techniques.”
The findings had been offered on the DEFCON safety convention at present. There isn’t any proof that these shortcomings had been abused within the wild. The listing of flaws, which have been addressed in model 2.6.9 of PowerPanel Enterprise software program and model 1.44.08042023 of the Dataprobe iBoot PDU firmware, is beneath –
Dataprobe iBoot PDU –
- CVE-2023-3259 (CVSS rating: 9.8) – Deserialization of untrusted information, resulting in authentication bypass
- CVE-2023-3260 (CVSS rating: 7.2) – OS command injection, resulting in authenticated distant code execution
- CVE-2023-3261 (CVSS rating: 7.5) – Buffer overflow, resulting in denial-of-service (DoS)
- CVE-2023-3262 (CVSS rating: 6.7) – Use of hard-coded credentials
- CVE-2023-3263 (CVSS rating: 7.5) – Authentication bypass by alternate title
CyberPower PowerPanel Enterprise –
- CVE-2023-3264 (CVSS rating: 6.7) – Use of hard-coded credentials
- CVE-2023-3265 (CVSS rating: 7.2) – Improper neutralization of escape, meta, or management sequences, resulting in authentication bypass
- CVE-2023-3266 (CVSS rating: 7.5) – Improperly Carried out Safety Examine for Commonplace, resulting in authentication bypass
- CVE-2023-3267 (CVSS rating: 7.5) – OS command injection, resulting in authenticated distant code execution
Profitable exploitation of the aforementioned flaws might affect important infrastructure deployments that depend on information facilities, leading to shutdowns with a “flip of a swap,” conduct widespread ransomware, DDoS or wiper assaults, or conduct cyber espionage.
“A vulnerability on a single information middle administration platform or system can rapidly lead to an entire compromise of the interior community and provides risk actors a foothold to assault any related cloud infrastructure additional,” the researchers mentioned.