WaPo writes about vulnerabilities in Supermicro IPMIs

Kyle Creyts kyle.creyts at gmail.com
Fri Aug 16 04:22:14 UTC 2013


just so we're all clear, SuperMicro wasn't the only one...

link: http://pastebin.com/syXHLuC5

1.  CVE-2013-4782 CVSS Base Score = 10.0
2.  The SuperMicro BMC implementation allows remote attackers to
bypass authentication and execute arbitrary IPMI commands by using
cipher suite 0 (aka cipher zero) and an arbitrary password.
3.
4.  CVE-2013-4783 CVSS Base Score = 10.0
5.  The Dell iDRAC 6 BMC implementation allows remote attackers to
bypass authentication and execute arbitrary IPMI commands by using
cipher suite 0 (aka cipher zero) and an arbitrary password.
6.
7.  CVE-2013-4784 CVSS Base Score = 10.0
8.  The HP Integrated Lights-Out (iLO) BMC implementation allows
remote attackers to bypass authentication and execute arbitrary IPMI
commands by using cipher suite 0 (aka cipher zero) and an arbitrary
password.
9.
10. CVE-2013-4785 CVSS Base Score = 10.0
11. iDRAC 6 firmware 1.7, and possibly other versions, allows remote
attackers to modify the CLP interface for arbitrary users and possibly
have other impact via a request to an unspecified form that is
accessible from testurls.html.
12.
13. CVE-2013-4786 CVSS Base Score = 7.8
14. The IPMI 2.0 specification supports RMCP+ Authenticated
Key-Exchange Protocol (RAKP) authentication, which allows remote
attackers to obtain password hashes and conduct offline password
guessing attacks by obtaining the HMAC from a RAKP message 2 responses
from a BMC.


References:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4782
=>  http://fish2.com/ipmi/cipherzero.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4783
=> http://fish2.com/ipmi/cipherzero.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4784
=>  http://fish2.com/ipmi/cipherzero.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4785
=>  http://fish2.com/ipmi/dell/secret.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4786
=>  http://fish2.com/ipmi/remote-pw-cracking.html

On Thu, Aug 15, 2013 at 6:00 PM, Jay Ashworth <jra at baylink.com> wrote:
> Presumably, everyone else's are very religious as well.
>
> Is anyone here stupid enough not to put the management interfaces behind
> a firewall/VPN?
>
>   http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/14/researchers-figure-out-how-to-hack-tens-of-thousands-of-servers/
>
> And should I be nervous that Usenix pointed me *there* for the story,
> rather than a tech press outlet?
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth                  Baylink                       jra at baylink.com
> Designer                     The Things I Think                       RFC 2100
> Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
> St Petersburg FL USA               #natog                      +1 727 647 1274
>



-- 
Kyle Creyts

Information Assurance Professional
Founder BSidesDetroit



More information about the NANOG mailing list