Researchers found serious flaws in Dataprobe’s iBoot power distribution unit (PDU), which may be used by hostile parties to remotely hijack the device and shut down any connected devices, possibly disrupting the targeted business.
Researchers from the industrial cybersecurity company Claroty discovered a total of seven flaws with the iBoot-PDU product, including one that might have allowed a remote, unauthenticated attacker to execute arbitrary code.
For remote power management, the affected PDU offers a web interface and a cloud platform for setting up the device and managing each individual outlet.
More than 2,000 PDUs were directly exposed to the internet in 2021, and roughly a third of those were iBoot PDUs, according to a Censys research.
The Claroty researchers demonstrated that hackers may not only access these web-exposed devices but also devices that are not directly exposed to the web via the cloud-based infrastructure that grants access to the device management page.
Customers can access their devices through the web using this cloud platform without directly exposing them to the internet, allowing them to keep the devices hidden behind a firewall or network address translation (NAT) router.
However, the flaws discovered by Claroty can be used to get through NAT and firewalls and execute arbitrary code, allowing the attacker to turn off power to all the PDU-controlled devices. An attacker can also get the credentials needed to travel across the compromised network laterally.
CVE-2022-3183 through CVE-2022-3189 are the CVE identifiers given to the seven vulnerabilities. The problems include server-side request forgery, path traversal, sensitive information disclosure, inappropriate access control, and faulty and erroneous authorisation (SSRF).
A blog article from Claroty outlines the more critical vulnerabilities.
To alert businesses to these vulnerabilities, the US Cybersecurity and Infrastructure Security Agency (CISA) has also published an advisory. The affected product, according to the government, has been used in numerous nations and businesses, including the crucial manufacturing sector.
The vendor has released firmware version 1.42.06162022 to address the problem. The firmware should be updated, and Dataprobe advises turning off the Simple Network Management Protocol (SNMP) if it isn’t being used.