Trellix researchers are warning of vulnerabilities in the products of two vendors, CyberPower and Dataprobe, that are widely used in data centres, one of which is rated as “critical” with a CVSS score of 9.8.
The company last week presented its work to DEFCON in Las Vegas. Trellix said both CyberPower and Dataprobe have released fixes.
In a blog post, Trellix warns that the vulnerabilities could be exploited to power-down a data centre, plant malware that could spread to customer machines in a data centre, or conduct espionage.
The most serious vulnerability is in the Dataprobe iBoot power distribution unit (PDU).
CVE-2023-3259 is a deserialisation of untrusted data bug yet to be published by Mitre, which maintains the CVE database.
iBoot is also vulnerable to CVE-2023-3260, an operating system command injection vulnerability with a CVSS score of 7.2; CVE-2023-3261, a buffer overflow vulnerability scored at 7.5; CVE-2023-3262, a hard-coded credential bug scored at 6.7; and CVE-2023-3263, an authentication bypass rated 7.5.
Trellix explained that the PDU has been in service since 2016, and consequently thousands are in the field “for tasks including digital signage, telecommunications, remote site management, and much more”.
CyberPower’s PowerPanel Enterprise system monitoring software is subject to four vulnerabilities: CVE-2023-3264, a hard-coded credentials bug rated 6.7; CVE-2023-3265, in which escape or control sequences aren’t properly neutralised, rated 7.2; CVE-2023-3266, an authentication bypass rated 7.5; and CVE-2023-3267, an OS command injection bug exploitable for remote code execution rated 7.5.
The command injection bugs “could be leveraged to create a backdoor or an entry point to the broader network of connected data center devices and enterprise systems”, Trellix said, while vulnerabilities could be chained together to gain “full access” to the systems.