CISA, Claroty highlight severe vulnerabilities in popular power distribution unit product

The Cybersecurity and Infrastructure Security Agency (CISA) released a warning about several vulnerabilities found in Dataprobe’s iBoot power distribution units (PDU), some of which would allow hackers to exploit devices remotely. 

Dataprobe was founded in 1969 and provides remote site management tools for critical networks like air traffic control and bitcoin kiosks. PDUs are commonly found in industrial environments, data centers, and elsewhere where power supplies must be in proximity of rack-mounted equipment. 

Some PDUs can be accessed and managed remotely, putting them “within arm’s length of disrupting critical services by cutting off electric power to the device and subsequently, anything plugged into it,” according to researchers from cybersecurity firm Claroty who discovered the bugs.

Dataprobe CEO David Weiss told The Record that the iBoot-PDU product family has been in service since 2016 and said thousands are deployed across industries for tasks like digital signage, telecommunications and remote site management. 

iBoot-PDU technology is also provided to original equipment manufacturers to assist them in deploying remote power management within their products. Dataprobe iBoot-PDUs provide users with real-time monitoring capabilities and remote access, allowing users may to remotely control outlets using a built-in web interface or over protocols such as telnet and SNMP. 

But Claroty discovered seven vulnerabilities in the product and CISA said two of the bugs have CVSS scores of 9.8 – CVE-2022-3183 and CVE-2022-3184. The rest had scores ranging from 8.6 to 5.3.

Weiss said several of the bugs have been patched in a recent update and others were resolved “with proper customer configuration and disabling of features not required.”

“There is nothing in the Claroty report that we dispute. We appreciate third-party analysis and take very seriously the need to continuously improve and respond to changing security environments,” he said. “We have engaged with Claroty and continue to work with them and other third-party organizations on security improvements.”

He added that some of the issues are “inherent in the open source components used in the product” while others are “currently under review and our engineering team is developing a response.”

He did not explain which explanations applied to which vulnerabilities, but according to Claroty, all of the issues they discovered have been adequately addressed by Dataprobe in Version 1.42.06162022.

They also noted that Dataprobe recommends users disable SNMP, telnet, and HTTP if not in use as a mitigation against some of these vulnerabilities.

The vulnerabilities

Claroty security researcher Uri Katz, credited by CISA with discovering the bugs, said in an interview that his team was able to expose all iBoot-PDU devices, even if they are behind a firewall, by finding a vulnerability in the cloud platform. 

One of the vulnerabilities they found in the web interface allowed them to execute unauthorized code on them. 

“This is especially concerning because it could have let attackers gain a foothold within internal networks and exploit the iBoot-PDU devices remotely, even if they are not directly exposed on the internet,” Katz said. 

Katz explained that internet scanning company Censys published a report in 2021 that found more than 2,500 units used to remotely manage power distribution that were reachable over the internet.

The report said 31% of those devices were from Dataprobe and that percentage did not include devices behind a firewall that are managed by their cloud service. 

“So it’s likely a much higher number,” Katz noted. “These vulnerabilities can be exploited to shut down rack-mounted servers and networking gear housed in datacenters that are powered by iBoot-PDUs.”

Claroty also developed a way to find cloud-connected iBoot-PDU devices, expanding the available attack surface to all connected devices.

An attacker would be able to exploit the bugs through a direct web connection to the device or via the cloud. Through the web interface, users can configure the PDU, view device details, and control the electric outlets on the device. 

According to Claroty, every time users click the virtual on/off buttons for an outlet, an electrical relay opens or closes the circuit to that specific outlet.

“Dataprobe’s iBoot Cloud Service platform can directly control outlets and also has a feature to access the device’s main management page from the cloud. This feature enables users to remotely connect to their device without exposing it to the internet,” Claroty explained.

“We now have the ability to expose all the cloud-controlled iBoot-PDU devices and exploit them remotely through their web interface while bypassing NAT, routers, and firewalls. An attacker gaining such an ability would probably start to exploit the internal network because that’s where they would have an initial foothold.”

The researchers noted that it would be “scary” for hackers to have control over physical socket outlets and have the ability to remotely shut down power on devices within the internal network. 

CISA’s advisory on the vulnerabilities coincided with the release of several other advisories about industrial control bugs. 

Last week, the cybersecurity agency added six vulnerabilities to its catalog of Known Exploited Vulnerabilities, one of which was used during the now-infamous 2010 Stuxnet attack to target the supervisory control and data acquisition (SCADA) systems of Iran’s nuclear facilities.