CISA issues warning about data centre PDUs

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning of remotely exploitable bugs in networked power distribution units (PDUs) made by US vendor Dataprobe.

The iBoot-PDUs can be found in data centres, where they provide a way to power cycle individual power outlets, and are controllable via a Web page, telnet, or SNMP (the simple network management protocol).

“Successful exploitation of these vulnerabilities could lead to unauthenticated remote code execution on the Dataprobe iBoot-PDU device," CISA said.

The worst of the vulnerabilities, both scoring 9.8 on the Common Vulnerability Scoring System (CVSS 3.0), are CVE-2022-3183 and CVE-2022-3184.

CVE-2022-3183 is an input sanitisation bug that exposes the PDU’s operating system to command injection, while CVE-2022-3184 is a path traversal but that allows unauthenticated remote attackers to write files to the device’s web root directory.

CVE-2022-3186, with a CVSS score of 8.6 (high severity), is an access control vulnerability that allows an unauthenticated attacker to access the device’s management page “from the cloud”, the CISA advisory states.

The remaining vulnerabilities all have CVSS scores of 5.3 (medium severity): CVE-2022-3185, an information exposure bug; CVE-2022-3187 and CVE-2022-3188, improper authorisation bugs; and CVE-2022-3189, a server-side request forgery bug.

The bugs affect all iBoot-PDUs running firmware prior to version 1.42.06162022.

As well as installing the new firmware, Dataprobe recommends users switch off SNMP, minimise network access to the PDUs, and put the devices behind firewalls with minimal exposure to business networks.