Multiple Flaws Uncovered in Data Center Systems

Cyber Security Threat Summary:
Multiple vulnerabilities have been discovered in data center power management systems and supply technologies, enabling unauthorized access and remote code injection by threat actors. These vulnerabilities can be exploited to gain full access to data center systems, perform remote code injection, and create backdoors, potentially compromising connected devices and the broader network. The vulnerabilities were found in CyberPower's PowerPanel Enterprise Data Center Infrastructure Management platform and Dataprobe's iBoot Power Distribution Unit. The impacted products are commonly used by businesses managing on-premises server deployments and data centers. The vulnerabilities, tracked as CVE-2023-3259 through CVE-2023-3267, have CVSS scores ranging from 6.7 to 9.8. The researchers recommend affected customers to apply patches immediately to mitigate these risks.

Security Officer Comments:
Vulnerable products outlined in this article pose a significant threat to the security and operational continuity of data centers. The ability to gain unauthorized access, perform remote code injection, and create backdoors can lead to severe disruptions, potential hardware damage, and even large-scale attacks. Given the increasing reliance on data centers for critical services, businesses should prioritize patching and implementing security measures to prevent exploitation and protect against potentially devastating consequences.

Suggested Correction(s):
It is crucial for organizations using the affected products to promptly apply the provided patches to mitigate the vulnerabilities. Additionally, maintaining strong access controls, regularly updating and monitoring systems, and segmenting critical infrastructure can help reduce the attack surface and limit the potential impact of such vulnerabilities. Organizations should also establish incident response plans to swiftly address any security breaches and minimize their repercussions:

CyberPower DCIM:

  • CVE-2023-3264: Use of hard-coded credentials; CVSS score - 6.7;
  • CVE-2023-3265: Improper neutralization of escape, meta or control sequences; CVSS score - 7.2;
  • CVE-2023-3266: Improperly implemented security check for standard; CVSS score - 7.5;
  • CVE-2023-3267: OS command injection; CVSS score - 7.5.
Dataprobe iBoot-PDU:
  • CVE-2023-3259: Deserialization of untrusted data; CVSS score - 9.8;
  • CVE-2023-3260: OS command injection; CVSS score - 7.2;
  • CVE-2023-3261: Buffer overflow; CVSS score - 7.5;
  • CVE-2023-3262: Use of hard-coded credentials; CVSS score - 6.7;
  • CVE-2023-3263: Authentication bypass by alternate name; CVSS score - 7.5).