Seven vulnerabilities in Dataprobe iBoot-PDU can bypass NAT, firewall to shut down electric devices, Team82 reveals
Claroty’s research arm, Team82 uncovered and disclosed seven vulnerabilities in Dataprobe’s iBoot-PDU (power distribution units). Some of the exposed vulnerabilities can lead to unauthenticated remote code execution on the iBoot-PDU devices, enabling attackers to exploit these vulnerabilities remotely through a direct web connection to the device or via the cloud. The loopholes can also jump network address translation (NAT) and firewalls to infiltrate organizations through the smart connectivity channel.
Team82 recently concluded research into Dataprobe iBoot-PDUs, an advanced device that provides users with real-time monitoring capabilities and remote access, the researchers wrote in their latest research, published on Tuesday. All the vulnerabilities were disclosed to Dataprobe, which patched them in a recent update. Users are urged to implement these fixes.
Deployed across the critical manufacturing sector, Uri Katz of Claroty Research reported these vulnerabilities to Dataprobe and CISA. The vulnerabilities detected include OS command injection, path traversal, exposure of sensitive information to an unauthorized hacker, improper access control, improper authorization, incorrect authorization, and server-side request forgery.
Power distribution units (PDUs) are common devices found in industrial environments, data centers, and elsewhere where power supplies must be in proximity of rack-mounted equipment. Some PDUs can be accessed and managed remotely. Attacking a remotely exploitable vulnerability in a PDU component such as the web-based interface or cloud-based management platform puts an attacker within arm’s length of disrupting critical services by cutting off the electric power to the device and, subsequently, anything plugged into it.
Following a 2021 Censys report, which revealed that more than 2,000 PDUs are exposed to the internet, with 31 percent of those being Dataprobe devices, Team82 researchers decided to examine the security of Dataprobe iBoot-PDUs and determine whether they could remotely access the device, bypassing authentication requirements, and gaining code execution. “We also wanted to reach iBoot-PDUs that were not directly connected to the internet, but instead were managed by an integrated cloud platform,” the team added.
After analyzing the attack surface, Team82 began its research with a few goals – executing code on internet-connected devices through either authentication bypass or pre-auth code execution. It also attempts to reach devices that are not publicly facing using the iBoot Cloud Service while bypassing NAT and firewalls to infiltrate organizations through the smart connectivity channel. The move would enable the execution of code on cloud-connected devices and obtain cloud credentials to move laterally through the network.
Team82’s disclosure of seven vulnerabilities in Dataprobe’s iBoot-PDU demonstrates the need to assess the risk posed by all connected devices within an enterprise. Even an innocuous power distribution unit remotely managed over the internet or via a cloud-based management platform can provide a determined attacker to target the network or with a way to disrupt essential services by cutting power to devices plugged into a PDU.
The report demonstrates how an attacker can enumerate connected PDUs through a simple CENSYS search to understand the available attack surface. The vulnerabilities eventually uncovered by Team82 and patched by Dataprobe allowed for authentication bypass and pre-authentication code execution on internet-connected devices.
“For cloud-managed PDUs, Team82 was able to reach those devices by exploiting access control flaws in order to bypass network address translation and firewall protections,” the report said. “Doing so enables an attacker to execute code on cloud-connected PDUs, or obtain cloud credentials to move laterally on the network. It adds that successful exploits could allow attackers to shut down servers and other networking equipment housed in data centers normally adequately powered by a PDU.
Team82 also developed a means by which it can enumerate cloud-connected iBoot-PDU devices, expanding the available attack surface to all connected devices. Furthermore, an attacker could remotely exploit these vulnerabilities through a direct web connection to the device or via the cloud.
Not all iBoot-PDUs connected to the internet are publicly facing, Team82 researchers said. Many devices are behind NAT routers and firewalls. In the past, users had to choose between exposing devices to the internet to control them remotely with a greater risk of attacks on the devices and keeping devices local without the ability to control them from outside the network.
“Modern solutions implemented a constant session for the edge device to a cloud-based platform in which users can remotely control through a central location: the cloud platform,” the researchers added.
Team82 said that it now has the ability to expose all the cloud-controlled iBoot-PDU devices and exploit them remotely through their web interface while bypassing NAT, routers, and firewalls. “An attacker gaining such an ability would probably start to exploit the internal network because that’s where they would have an initial foothold. We were pondering what else is possible from an attacker’s perspective. What about controlling the physical socket outlets? Having the ability to remotely shut down power on devices within the internal network would leverage the virtual network world to impact the physical one. This is scary,” the report added.
iBoot-PDUs use relays to control outlets, the report said. “A relay is a physical electric switch controlled by a signal. Putting it in simple terms, relays receive a signal and open/close a circuit according to the signal.”
The researchers pointed out that the iBoot-PDUs signal uses general-purpose IOs (GPIO) to open/close the circuit connected to the power outlet on the device and, therefore, control which devices receive power. “Essentially, this means that an attacker can remotely bypass NAT and firewalls to expose a remote iBoot-PDU in order to gain code execution and shut down all controlled devices,” they added.
In May, Team82 researchers uncovered two vulnerabilities in the PLC Program Tool from Chinese automation company XINJE. The flaws can be triggered by a crafted project file, which an attacker can use to exploit and write arbitrary project files to a PLC (programmable logic controller) and gain code execution. Team82 tested only v3.5, though it believes other versions may be vulnerable too.
Related
