Security News > 2022 > September > Critical Remote Hack Flaws Found in Dataprobe's Power Distribution Units

The U.S. Cybersecurity and Infrastructure Security Agency on Tuesday released an industrial control systems advisory warning of seven security flaws in Dataprobe's iBoot-PDU power distribution unit product, mostly used in industrial environments and data centers.

"Successful exploitation of these vulnerabilities could lead to unauthenticated remote code execution on the Dataprobe iBoot-PDU device," the agency said in a notice.

iBoot-PDU is a power distribution unit that provides users with real-time monitoring capabilities and sophisticated alerting mechanisms via a web interface so as to control the power supply to devices and other equipment in an OT environment.

Successful remote exploitation of the flaws "Puts an attacker within arm's length of disrupting critical services by cutting off electric power to the device and subsequently, anything plugged into it," Clarory researcher Uri Katz said.

"Even an innocuous power distribution unit remotely managed over the internet or via a cloud-based management platform can provide a determined attacker to target the network, or with a way to disrupt essential services by cutting power to devices plugged into a PDU," Katz said.

Claroty further disclosed that it found a way to enumerate cloud-connected iBoot PDU devices by exploiting a combination of a valid cookie and the device ID, thereby widening the available attack surface to all connected devices.

News URL

https://thehackernews.com/2022/09/critical-remote-hack-flaws-found-in.html