Cybersecurity company Claroty’s research team, Team82, recently issued a new report on Dataprobe’s iBoot-PDUs and discovered security vulnerabilities.
Power distribution units (PDUs) are common devices found in industrial environments, data centers, and elsewhere where power supplies must be in proximity of rack-mounted equipment. Some PDUs can be accessed and managed remotely. Attacking a remotely exploitable vulnerability in a PDU component such as the web-based interface or cloud-based management platform puts an attacker within arm’s length of disrupting critical services by cutting off electric power to the device and, subsequently, anything plugged into it.
Team82 recently concluded research into Dataprobe iBoot-PDUs, an advanced device that provides users with real-time monitoring capabilities and remote access. A 2021 Censys report revealed that more than 2,000 PDUs are exposed to the internet, with 31% of those being Dataprobe devices.
After uncovering 7 vulnerabilities, the research team disclosed the report to Dataprobe and the vulnerabilities were accordingly patched in a recent update. Users are then required to implement the fixes recommended.
This research builds on previous work done by Team82 on the security of cloud-based management platforms back in July 2021, the “Top-Down and Bottom-Up: Exploiting Vulnerabilities in the OT Cloud Era” report. It featured research that uncovered vulnerabilities in market-leading WAGO PLCs that could enable an attacker to target a cloud-based management system and flaws in CODESYS’ Automation Server platform used to manage industrial devices from the cloud. The flaws Team82 disclosed were remotely exploitable and could be used to target a cloud-based management console from a compromised field device or take over a company’s cloud and attack PLCs and other devices to disrupt operations.
Team82’s disclosure of seven vulnerabilities in Dataprobe’s iBoot-PDU illustrates the need to assess the risk posed by all connected devices within an enterprise. Even an innocuous power distribution unit remotely managed over the internet or via a cloud-based management platform can provide a determined attacker to target the network or with a way to disrupt essential services by cutting power to devices plugged into a PDU.
The vulnerabilities eventually uncovered by Team82 and patched by Dataprobe allowed for authentication bypass and pre-authentication code execution on internet-connected devices. For cloud-managed PDUs, Team82 was able to reach those devices by exploiting access control flaws to bypass network address translation and firewall protections. Doing so enables an attacker to execute code on cloud-connected PDUs, or obtain cloud credentials to move laterally on the network.
Successful exploits could allow attackers to shut down servers and other networking equipment housed in data centers normally adequately powered by a PDU. For this reason, it’s impertinent for such vulnerabilities to be uncovered quickly to provide fixes accordingly before attackers exploit them.
To read the detailed report on how Team82 discovered the vulnerabilities in Dataprobe’s PDUs, visit here.