The pace of migrations to cloud infrastructure is drawing attention to previously unnoticed flaws in power management tools used in virtually every data center.
In research presented at DEF CON 31 in Las Vegas in August, Trellix researchers Sam Quinn and Jesse Chick demonstrated flaws in two separate power management appliances.
Those include four major vulnerabilities in CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform, a tool for IT administrators to supervise resource and energy consumption of infrastructural components of a data center (often remotely). Quinn and Chick also discovered five critical vulnerabilities in Dataprobe’s iBoot power distribution unit (PDU) for server racks.
Flaws in the DCIM included use of hardcoded credentials, ways to bypass authentication, and remote code execution via OS command injection. The most severe vulnerability in the PDU carried a CVSS 9.8 rating, and would allow an attacker to bypass authentication and connect the PDU to a rogue database, gaining administrator privileges.
All vulnerabilities the Trellix team identified have since been patched by the manufacturers.
According to Chick, PDUs are typically on their own VLAN separated from Windows servers or ones actually serving business resources, meaning attackers would likely be limited to shutting off power or cooling on racks.
“This is almost 100% dictated by how the system administrators decided to lay out that network,” Chick told IT Brew. “The potential impact of pivoting is going to vary widely, just given the network topology that we’re talking about.”
The DCIM vulnerabilities would allow an attacker to “pivot to a larger number of a broader spectrum of devices that are adjacent to the DCIM itself, and in the cloud or on prem, or those devices that it inherently must have visibility to that are in the data center environment,” Chick added.
The same line of Dataprobe PDUs was also found to have serious flaws by researchers with security firm Claroty’s Team82 last year, resulting in the Cybersecurity and Infrastructure Security Agency (CISA) issuing a warning.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
In 2021, exposure management company Censys found over 2,600 active networked power switches exposed to the public internet, likely due to accidental misconfiguration, overly lenient access lists, and reuse of ports or automatic port forwarding.
Chick told IT Brew he was surprised at the overall lack of prior research into data center infrastructure and, while Trellix didn’t take an extensive look into other devices, expressed concern that similar vulnerabilities could be widespread.
“There hasn’t been much of a spotlight on this class of products,” Chick said.
Sharon Brizinov, Team82’s director of security research, said the vulnerabilities were emblematic of a much larger issue with the supply chain for data center infrastructure—that operators often have limited insight into products ranging from building management and HVAC systems to environmental and power controllers.
“The best way to protect these devices is to first have visibility into the irregular type of devices you have in your network,” Brizinov told IT Brew.
The Trellix team argued the findings should challenge the widespread assumption that cloud migrations inherently enhance security, even though the same components are used in on-prem environments.
“There’s just a whole lot fewer moving pieces involved,” Chick told IT Brew. “You can, as an administrator [who] knows what they’re doing really well, lock down your on-prem location in a way that eliminates the presence of that additional attack surface that is necessarily opened up when you co-locate in some larger data center.”
“That’s all going to come down to network topology and the competence of the third party that you’re hosting with,” he added.