Multiple safety vulnerabilities impacting CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe’s iBoot Power Distribution Unit (PDU) might be doubtlessly exploited to realize unauthenticated entry to those methods and inflict catastrophic injury in goal environments.
The 9 vulnerabilities, from CVE-2023-3259 by way of CVE-2023-3267, carry severity scores starting from 6.7 to 9.8, enabling menace actors to close down complete knowledge facilities and compromise knowledge heart deployments to steal knowledge or launch huge assaults at an enormous scale.
“An attacker may chain these vulnerabilities collectively to realize full entry to those methods,” Trellix safety researchers Sam Quinn, Jesse Chick, and Philippe Laulheret mentioned in a report shared with The Hacker News.
“Furthermore, each merchandise are susceptible to distant code injection that might be leveraged to create a backdoor or an entry level to the broader community of linked knowledge heart units and enterprise methods.”
The findings have been offered on the DEFCON safety convention right now. There isn’t any proof that these shortcomings have been abused within the wild. The listing of flaws, which have been addressed in model 2.6.9 of PowerPanel Enterprise software program and model 1.44.08042023 of the Dataprobe iBoot PDU firmware, is under –
Dataprobe iBoot PDU –
- CVE-2023-3259 (CVSS rating: 9.8) – Deserialization of untrusted knowledge, resulting in authentication bypass
- CVE-2023-3260 (CVSS rating: 7.2) – OS command injection, resulting in authenticated distant code execution
- CVE-2023-3261 (CVSS rating: 7.5) – Buffer overflow, resulting in denial-of-service (DoS)
- CVE-2023-3262 (CVSS rating: 6.7) – Use of hard-coded credentials
- CVE-2023-3263 (CVSS rating: 7.5) – Authentication bypass by alternate title
CyberPower PowerPanel Enterprise –
- CVE-2023-3264 (CVSS rating: 6.7) – Use of hard-coded credentials
- CVE-2023-3265 (CVSS rating: 7.2) – Improper neutralization of escape, meta, or management sequences, resulting in authentication bypass
- CVE-2023-3266 (CVSS rating: 7.5) – Improperly Implemented Security Check for Standard, resulting in authentication bypass
- CVE-2023-3267 (CVSS rating: 7.5) – OS command injection, resulting in authenticated distant code execution
Successful exploitation of the aforementioned flaws may impression important infrastructure deployments that depend on knowledge facilities, leading to shutdowns with a “flip of a change,” conduct widespread ransomware, DDoS or wiper assaults, or conduct cyber espionage.
“A vulnerability on a single knowledge heart administration platform or machine can shortly lead to a whole compromise of the inner community and provides menace actors a foothold to assault any linked cloud infrastructure additional,” the researchers mentioned.