Data centers at risk due to flaws in power management software
LAS VEGAS — While data centers are among the most critical components for powering every aspect of modern life, these massive facilities are also dangerously vulnerable to hackers who could disrupt them through flaws in power managements systems.
During the DEF CON security conference, researchers at the cybersecurity firm Trellix disclosed vulnerabilities in commonly used applications at data centers that could give hackers access to sensitive facilities — and also let them turn off the power to specific servers.
These flaws are especially troubling due to the growing reliance on cloud computing for everything from internet search results to keeping businesses running. And much of that data is coming from centers that are reliant on software that’s too often full of holes that malicious hackers can exploit, said Sam Quinn, senior security researcher on the Advanced Threat Research team at Trellix.
“A vulnerability on a single data center management platform or device can quickly lead to a complete compromise of the internal network and give threat actors a foothold to attack any connected cloud infrastructure further,” Trellix researchers noted in the report. “The world has become increasingly reliant on data and the data center infrastructure that supports the foundation of our internet services.”
The researchers found four vulnerabilities in an infrastructure management platform from a company called CyberPower and five in power distribution units from Dataprobe that allowed for remote code injection.
Quinn said that they were looking to find out how an attacker can compromise complex data centers that rely on many different types of software and an intricate supply chain to provide services to millions of clients.
The CyberPower software allows administrators to manage and configure the infrastructure at a data center through the cloud. Such access means that the software really acts as a “single source of information and control for all devices,” the report notes.
“And because it manages all those devices in a single web application, it’s obviously a juicy target for attackers,” said Quinn.
The platforms are usually used by companies for anything from managing on-premise servers to co-located data centers from major cloud providers such as Amazon Web Services, Google Cloud and Microsoft Azure, Trellix researchers wrote.
Using multiple vulnerabilities found in the software, the researchers bypassed authentication allowing them to see and configure devices on that network. With initial access to the software, hackers could then to pivot to power distribution unit’s that are essentially glorified smart power strips that monitors energy usage, said Quinn.
“They also you can toggle on and off power, which is what an attacker like myself, was mostly interested in,” Quinn said. “Even just turning off power to equipment in a data center is quite a impact to the victim.”
The vulnerability allowed Trellix researchers to turn off the power for a company’s server space that can cost potentially millions for the organization relying on that data, the report noted.
“That’s a really impactful position to be as an attacker, now you have a device that you control that can, you know, doesn’t run the antivirus software, because it’s hardware physical device inside of either the data center itself or that cage space,” Quinn said.
The report noted that aside from turning off the power, hackers could use the access to install malware and make connections to potentially hundreds of businesses.
CyberPower and Dataprobe have both patch the the vulnerabilities ahead of the DEF CON presentation.