nanog mailing list archives
Re: WaPo writes about vulnerabilities in Supermicro IPMIs
From: Kyle Creyts <kyle.creyts () gmail com>
Date: Thu, 15 Aug 2013 21:22:14 -0700
just so we're all clear, SuperMicro wasn't the only one... link: http://pastebin.com/syXHLuC5 1. CVE-2013-4782 CVSS Base Score = 10.0 2. The SuperMicro BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. 3. 4. CVE-2013-4783 CVSS Base Score = 10.0 5. The Dell iDRAC 6 BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. 6. 7. CVE-2013-4784 CVSS Base Score = 10.0 8. The HP Integrated Lights-Out (iLO) BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. 9. 10. CVE-2013-4785 CVSS Base Score = 10.0 11. iDRAC 6 firmware 1.7, and possibly other versions, allows remote attackers to modify the CLP interface for arbitrary users and possibly have other impact via a request to an unspecified form that is accessible from testurls.html. 12. 13. CVE-2013-4786 CVSS Base Score = 7.8 14. The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 responses from a BMC. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4782 => http://fish2.com/ipmi/cipherzero.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4783 => http://fish2.com/ipmi/cipherzero.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4784 => http://fish2.com/ipmi/cipherzero.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4785 => http://fish2.com/ipmi/dell/secret.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4786 => http://fish2.com/ipmi/remote-pw-cracking.html On Thu, Aug 15, 2013 at 6:00 PM, Jay Ashworth <jra () baylink com> wrote:
Presumably, everyone else's are very religious as well. Is anyone here stupid enough not to put the management interfaces behind a firewall/VPN? http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/14/researchers-figure-out-how-to-hack-tens-of-thousands-of-servers/ And should I be nervous that Usenix pointed me *there* for the story, rather than a tech press outlet? Cheers, -- jra -- Jay R. Ashworth Baylink jra () baylink com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
-- Kyle Creyts Information Assurance Professional Founder BSidesDetroit
Current thread:
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs, (continued)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Jay Ashworth (Aug 15)
- RE: WaPo writes about vulnerabilities in Supermicro IPMIs Tom Walsh - EWS (Aug 15)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Brandon Martin (Aug 15)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Jay Ashworth (Aug 15)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Jonathan Lassoff (Aug 15)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Jay Ashworth (Aug 15)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Andrew Jones (Aug 15)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Jay Ashworth (Aug 15)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Jay Ashworth (Aug 15)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Leo Bicknell (Aug 16)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Charles N Wyble (Aug 25)
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Alain Hebert (Aug 16)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: WaPo writes about vulnerabilities in Supermicro IPMIs Anthony Bonkoski (Aug 17)