Dataprobe’s iBoot-Power Distribution Unit (PDU) Vulnerabilities
By Jonathan Means on October 11, 2022
Executive Summary
On
Tuesday, September 20, 2022, Cybersecurity and Infrastructure Security Agency
(CISA) released an industrial control system advisory (ICSA-22-263-03)
regarding seven serious vulnerabilities found in Dataprobe’s iBoot-power
distribution units (PDU). Dataprobe and CISA were notified by Uri Katz of
Claroty Research, who discovered these issues. PDUs are devices found within
industrial environments, data centers, and elsewhere where power supplies must
be in proximity to rack-mounted equipment [3]. The vulnerabilities that
Claroty’s research team found were remotely exploitable and could be used to
target a cloud-based management console from a compromised field device or take
over a company’s cloud and attack primary logic controllers (PLC) and other
devices to disrupt operations [4].
Background
On September 20, 2022, Claroty’s
research team, Team82, discovered and revealed seven vulnerabilities within
Dataprobe’s iBoot- PDU. In 2021, a Censys report revealed the exposure of more
than 2,000 PDUs to the internet [3]. Furthermore, 31% (620) of those devices
belong to Dataprobe. That report prompted Team82 to examine the security of
Dataprobe iBoot-PDUs and determine whether the devices were remotely accessible
by bypassing authentication requirements to gain remote code execution
capability. As of October 5th, 2022, a Censys search revealed 248
devices are still exposed to the internet, with one located here in Hawaii.
The iBoot-PDU makes it easy to manage
A/C power from any location. In addition, it comes with a cloud platform and a
straightforward and easy-to-use web interface that allows for regulating
multiple PDUs from a single web page, including controlling each outlet for
remote power management [2].
Vulnerabilities
The
seven vulnerabilities disclosed in the report were all assigned a common
vulnerabilities and exposures (CVE) number, ranging from CVE-2022-3183 to
CVE-2022-3189. The top three issues were improper access control, assigned a
common vulnerability scoring system (CVSS) v3 base score of 8.6, operating
system (OS) command injection, and path traversal, with a CVSS v3 base score of
9.8.
The improper access control
vulnerability (CVE-2022-3186) also aligns with common weakness enumeration
(CWE) -284, which is software that does not restrict or incorrectly restricts
access to a resource from an unauthorized actor [6]. When considering
CVE-2022-3186, the vulnerability allows attackers unauthorized access to the
device’s main management page from the cloud. Also, it enables users to connect
to devices remotely. However, the current implementation permits users to
access other devices’ information [3][1].
The second high-impact vulnerability
was OS command injection (CVE-2022-3183), which corresponds to CWE-78. OS
command injection could allow attackers to execute unexpected, dangerous
commands directly on the operating system [4]. As for CVE-2022-3183, a specific
function does not sanitize the input provided by the user, which may expose the
affected device to OS command injection [3][1].
Finally, the path traversal
(CVE-2022-3184) issue correlates to CWE-22. CWE-22 is an input validation
weakness where external input is used to construct a pathname that is intended
to identify a file or directory located underneath a restricted parent
directory. Still, the software does not properly neutralize special elements
within the pathname that can cause the pathname to resolve to a location
outside the restricted directory [5]. In the case of CVE-2022-3184, The
device’s existing firmware allows unauthenticated users to access an old PHP
page vulnerable to directory traversal, which may allow a user to write a file
to the webroot directory [3][1].
Significance
Today, attackers can exploit these vulnerabilities to achieve
arbitrary code execution by bypassing network address translation (NAT) and
firewalls. Thus, this enables the attacker to cut the power to all devices
controlled by the PDU. Furthermore, an attacker can obtain the credentials
required to move laterally within the compromised network. Therefore, CISA
recommends that users take defensive measures to minimize the risk of an
attacker exploiting these vulnerabilities. Specifically, users should [1]:
- Minimize
network exposure for all control system devices and systems, and ensure
they are not accessible from the Internet.
- Locate
control system networks and remote devices behind firewalls and isolate
them from business networks.
- When remote
access is required, use secure methods, such as Virtual Private Networks
(VPNs), recognizing VPNs may have vulnerabilities and should be updated to
the most current version available. Also, recognize VPN is only as secure
as its connected devices.
Dataprobe recommends users disable the simple network management
protocol (SNMP) if it is not in use. Dataprobe also has released a firmware
security update (Version 1.42.06162022) to address the seven vulnerabilities in
their iBoot-PDU power distribution unit operating system and owners have been
advised to update to the new firmware.
Sources
[1] Cybersecurity and Infrastructure Security Agency. (2022
09 22). ICS Advisory (ICSA-22-263-03). Retrieved on October 4, 2022,
from CISA: https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-03
[2] Dataprobe. (n.d.). IBOOT-PDU – INTELLIGENT POWER
DISTRIBUTION. Retrieved October 4, 2022, from Dataprobe: https://dataprobe.com/iboot-pdu/
[3] Katz, U. (2022 09 22). Jumping NAT to Shut Down
Electric Devices. Retrieved October 4, 2022, from Claroty: https://claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices
[4] Mitre. (n.d.). CWE-78: Improper Neutralization of
Special Elements used in an OS Command (‘OS Command Injection’). Retrieved
October 4, 2022, from Mitre: https://cwe.mitre.org/data/definitions/78.html
[5] Mitre. (n.d.). CWE-22: Improper Limitation of a
Pathname to a Restricted Directory (‘Path Traversal’). Retrieved October 4,
2022, from Mitre: https://cwe.mitre.org/data/definitions/22.html
[6] Mitre. (n.d.). CWE-284: Improper Access Control. Retrieved
October 4, 2022, from Mitre: https://cwe.mitre.org/data/definitions/284.html