Vulnerabilities in power management products made by CyberPower and Dataprobe could be exploited in attacks aimed at data centers, allowing threat actors to spy on organizations or cause damage, according to threat detection and response firm Trellix.
Trellix researchers have analyzed CyberPower’s PowerPanel Enterprise data center power management software and Dataprobe’s iBoot power distribution unit (PDU). They discovered a total of nine vulnerabilities, including ones allowing an attacker to gain full access to the targeted system.
Previous research showed that many PDUs, including the iBoot product, are often exposed to the internet, making it possible to launch remote attacks against organizations using them.
In the CyberPower PowerPanel Enterprise product, Trellix researchers discovered four vulnerabilities, including hardcoded credentials, authentication bypass, and OS command injection issues.
In the Dataprobe iBoot PDU, they identified five vulnerabilities, indcluding OS command injection, authentication bypass, hardcoded credentials, and denial-of-service (DoS) issues.
In real world attacks, threat actors could exploit these types of vulnerabilities to cut power to connected devices and cause significant disruption.
“A threat actor could cause significant disruption for days at a time with the simple ‘flip of a switch’ in dozens of compromised data centers,” Trellix warned.
“Furthermore, manipulation of the power management can be used to damage the hardware devices themselves – making them far less effective if not inoperable,” it added, noting that this could result in financial losses of thousands or tens of thousands of dollars for every minute the data center’s power is down.
In addition to directly causing damage or disruption, hackers could plant backdoors on the data center equipment and use them to compromise other systems and devices.
“Some data centers host thousands of servers and connect to hundreds of various business applications. Malicious attackers could slowly compromise both the data center and the business networks connected to it,” Trellix said.
Compromised data center power management systems could also be leveraged by state-sponsored threat actors to conduct cyberespionage.
CyberPower and Dataprobe have been notified and both vendors have released updates to patch the vulnerabilities. In addition to installing the patches, organizations are advised to ensure that their systems are not exposed to the internet.
Trellix said it was not aware of any malicious attacks exploiting these vulnerabilities.