EXPLOITED: Dataprobe iBoot-PDU
February 23, 2023
Modern power distribution units (PDUs) – devices that are commonly used to deliver power to server racks – can be managed remotely. While convenient and often efficient, these power delivery systems also represent an attack vector for bad actors looking to infiltrate networks, data centers, and anything connected to them.
Claroty’s Team82 recently revealed multiple CVEs found in Dataprobe’s iBoot-PDU, which can be accessed from the cloud so that operators can service the device remotely. The findings revealed that, among other exploits, unauthenticated outside code could be executed on the PDU to not only impact the unit itself but also devices receiving power from it. That means even devices that aren’t connected to the Internet could potentially be targets of Internet-borne attacks.
In total, seven different vulnerabilities were exposed by the team of white hat hackers, including:
- CVE-2022-3183 – An OS Command Injection with a CVSS v3 score of 9.8 wherein a specific function doesn’t sanitize user inputs, thereby exposing an OS command injection vulnerability.
- CVE-2022-3184 – A firmware exposure vulnerability with a CVSS v3 score of 9.8 that allows unauthenticated users to access PHP pages that are vulnerable to directory traversal, which could allow the user to write files to the webroot directory.
- CVE-2022-3185 – A device data exposure vulnerability with a CVSS v3 score of 5.3.
- CVE-2022-3186 – An improper access control vulnerability with a CVSS v3 score of 8.6 that allows attackers to access a device’s main management page from the cloud then remotely connect devices then access other devices’ information.
- CVE-2022-3187 – An improper authorization vulnerability with a CVSS v3 score of 5.3 whereby certain PHP pages do not verify the validity of a user, which attackers could leverage to read the state of outlets.
- CVE-2022-3188 – An incorrect authorization vulnerability with a CVSS v3 score of 5.3 that allows unauthenticated users to open PHP index pages without authentication and download a device’s history, which includes the latest actions completed by specific users.
- CVE-2022-3189 – A server-side request forgery with a CVSS v3 score of 5.3 in which a specially-crafted PHP script could use HTTP request parameters to create a URL capable of changing the host parameter so that the URL points to another host or IP address.
Here's how the white hats took advantage.
Exploiting iBoot-PDU Devices
Team82 set out with the goal of determining whether they could “remotely access the device, bypassing authentication requirements, and gaining code execution. We also wanted to reach iBoot-PDUs that were not directly connected to the internet, but instead were managed by an integrated cloud platform.”
Team82 leveraged the Censys scanner to locate components not currently connected to the web (for reference, a July 2021 report from Censys outlines the discovery of 2,617 devices operated remotely on power outlets, 31% of which were Dataprobe’s). This gave the Team82 hackers an open attack surface for PDUs networked to the cloud, from which they began their research.
The research focused on executing Internet-connected devices through either:
- Authentication bypass
- Pre-auth code execution
- Bypassing NAT and firewalls to infiltrate the iBoot Cloud service and:
- Execute code on cloud-connected devices
- Obtain cloud credentials and move laterally through the network
- The exploit chain used to open or close and electric relay.
By means of authentication bypass and pre-authentication code execution, the Team82 researchers were able to infiltrate the cloud-managed iBoot devices by manipulating access control weaknesses that allowed them to circumvent NAT and firewall security. From there, they could execute code, obtain credentials to access network data, and more. This could even include cutting power to servers and other data center equipment driven by the PDUs.
Dataprobe iBoot: The Patch
Team82 informed Dataprobe, who with knowledge of the vulnerabilities committed updates in Version 1.42.06162022 and urged users to disable SNMP, telnet, and HTTP functions if not in use. ICS-CERT has also issued an advisory.
The discovery is an extension of Team82’s previous work on exploiting cloud-based OT devices.