A number of security vulnerabilities impacting CyberPower’s PowerPanel Business Data Centre Infrastructure Management (DCIM) system and Dataprobe’s iBoot Energy Distribution Unit (PDU) could be likely exploited to gain unauthenticated access to these programs and inflict catastrophic harm in goal environments.
The nine vulnerabilities, from CVE-2023-3259 as a result of CVE-2023-3267, have severity scores ranging from 6.7 to 9.8, enabling menace actors to shut down whole info centers and compromise facts heart deployments to steal details or start substantial attacks at a huge scale.
“An attacker could chain these vulnerabilities together to get full obtain to these methods,” Trellix security researchers Sam Quinn, Jesse Chick, and Philippe Laulheret explained in a report shared with The Hacker News.
“Also, both equally products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry position to the broader network of linked knowledge heart units and company units.”
The results were being presented at the DEFCON security meeting these days. There is no evidence that these shortcomings ended up abused in the wild. The list of flaws, which have been tackled in model 2.6.9 of PowerPanel Business application and edition 1.44.08042023 of the Dataprobe iBoot PDU firmware, is under –
Dataprobe iBoot PDU –
- CVE-2023-3259 (CVSS score: 9.8) – Deserialization of untrusted details, top to authentication bypass
- CVE-2023-3260 (CVSS rating: 7.2) – OS command injection, major to authenticated remote code execution
- CVE-2023-3261 (CVSS rating: 7.5) – Buffer overflow, main to denial-of-service (DoS)
- CVE-2023-3262 (CVSS score: 6.7) – Use of tricky-coded credentials
- CVE-2023-3263 (CVSS rating: 7.5) – Authentication bypass by alternate name
CyberPower PowerPanel Organization –
- CVE-2023-3264 (CVSS score: 6.7) – Use of difficult-coded credentials
- CVE-2023-3265 (CVSS rating: 7.2) – Incorrect neutralization of escape, meta, or management sequences, leading to authentication bypass
- CVE-2023-3266 (CVSS rating: 7.5) – Improperly Implemented Security Examine for Conventional, primary to authentication bypass
- CVE-2023-3267 (CVSS score: 7.5) – OS command injection, main to authenticated distant code execution
Thriving exploitation of the aforementioned flaws could impact critical infrastructure deployments that depend on facts facilities, resulting in shutdowns with a “flip of a change,” carry out common ransomware, DDoS or wiper attacks, or carry out cyber espionage.
“A vulnerability on a solitary data center administration platform or gadget can quickly guide to a comprehensive compromise of the inner network and give risk actors a foothold to attack any related cloud infrastructure even more,” the researchers said.
Discovered this post fascinating? Abide by us on Twitter and LinkedIn to read through extra exclusive written content we submit.
Some parts of this article are sourced from:
thehackernews.com