Multiple Vulnerabilities Discovered in Dataprobe’s iBoot-PDUs

  • Claroty’s research arm, Team82, has discovered several new vulnerabilities in Dataprobe’s iBoot–PDU (power distribution units).

    The company published the findings Tuesday in an advisory released in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA).

    The technical write–up describes the newly discovered flaws, saying that if exploited, they pose a number of risks to Dataprobe, including giving control of the iBoot–PDU to attackers.

    According to the advisory, PDUs are quite common in industrial environments, with some of them having remote access and control capabilities.

    Unfortunately, Team82 wrote, attacking a remotely exploitable vulnerability in a PDU component, including its web–based interface or cloud–based management platform, puts an attacker in the position of disrupting critical services by cutting off the electric power to the device and everything else that may be plugged into it.

    The company explained that they started researching Dataprobe’s iBoot–PDU after reading a 2021 Censys report revealing that more than 2000 PDUs were exposed to the internet, with 31% of those being Dataprobe devices.

    “That report prompted us to examine the security of Dataprobe iBoot–PDUs and determine whether we could remotely access the device, bypassing authentication requirements, and gaining code execution,” Team82 wrote.

    The research led to the discovery of seven new vulnerabilities, one of which enables an attacker to enumerate connected PDUs through a Censys search in order to understand the available attack surface. Others allowed for authentication bypass and pre–authentication code execution on internet–connected devices.

    “For cloud–managed PDUs, Team82 was able to reach those devices by exploiting access control flaws in order to bypass network address translation and firewall protections,” the security experts wrote.

    “Doing so enables an attacker to execute code on cloud–connected PDUs, or obtain cloud credentials to move laterally on the network.”

    All of these vulnerabilities were disclosed to Dataprobe earlier this year and patched by the company.

    “Users are urged to implement these fixes,” Team82 said. “Dataprobe also recommends users disable SNMP, telnet, and HTTP, if not in use, as mitigation against some of these vulnerabilities.”

    Team82 also recently published a separate report suggesting the number of vulnerability disclosures impacting extended internet of things (XIoT) devices increased by 57% in the first half of 2022.