Aug 12, 2023THNServer Safety / Cyber Risk

A number of safety vulnerabilities impacting CyberPower’s PowerPanel Enterprise Knowledge Middle Infrastructure Administration (DCIM) platform and Dataprobe’s iBoot Energy Distribution Unit (PDU) could possibly be probably exploited to achieve unauthenticated entry to those techniques and inflict catastrophic injury in goal environments.

The 9 vulnerabilities, from CVE-2023-3259 by way of CVE-2023-3267, carry severity scores starting from 6.7 to 9.8, enabling risk actors to close down complete knowledge facilities and compromise knowledge middle deployments to steal knowledge or launch large assaults at an enormous scale.

“An attacker may chain these vulnerabilities collectively to achieve full entry to those techniques,” Trellix safety researchers Sam Quinn, Jesse Chick, and Philippe Laulheret mentioned in a report shared with The Hacker Information.

“Moreover, each merchandise are weak to distant code injection that could possibly be leveraged to create a backdoor or an entry level to the broader community of related knowledge middle units and enterprise techniques.”

The findings had been introduced on the DEFCON safety convention at this time. There is no such thing as a proof that these shortcomings had been abused within the wild. The checklist of flaws, which have been addressed in model 2.6.9 of PowerPanel Enterprise software program and model 1.44.08042023 of the Dataprobe iBoot PDU firmware, is under –

Dataprobe iBoot PDU –

• CVE-2023-3259 (CVSS rating: 9.8) – Deserialization of untrusted knowledge, resulting in authentication bypass
• CVE-2023-3260 (CVSS rating: 7.2) – OS command injection, resulting in authenticated distant code execution
• CVE-2023-3261 (CVSS rating: 7.5) – Buffer overflow, resulting in denial-of-service (DoS)
• CVE-2023-3262 (CVSS rating: 6.7) – Use of hard-coded credentials
• CVE-2023-3263 (CVSS rating: 7.5) – Authentication bypass by alternate identify

CyberPower PowerPanel Enterprise –

• CVE-2023-3264 (CVSS rating: 6.7) – Use of hard-coded credentials
• CVE-2023-3265 (CVSS rating: 7.2) – Improper neutralization of escape, meta, or management sequences, resulting in authentication bypass
• CVE-2023-3266 (CVSS rating: 7.5) – Improperly Applied Safety Verify for Commonplace, resulting in authentication bypass
• CVE-2023-3267 (CVSS rating: 7.5) – OS command injection, resulting in authenticated distant code execution

Profitable exploitation of the aforementioned flaws may affect important infrastructure deployments that depend on knowledge facilities, leading to shutdowns with a “flip of a swap,” conduct widespread ransomware, DDoS or wiper assaults, or conduct cyber espionage.

“A vulnerability on a single knowledge middle administration platform or gadget can shortly lead to a whole compromise of the inner community and provides risk actors a foothold to assault any related cloud infrastructure additional,” the researchers mentioned.