Hi, I find it odd that this is suddenly news... There is plenty of security updates for iBMC/iDrac/etc from IBM/HP/Dell/etc over the years. But: You can use ipmitool, rootkit/exploit some Linux box and upload your own firmware in that iBMC/iDrac/etc... for example the BMC firmware for a Dell C1100 leave plenty of space to inject your own shell in it. And Voila! access to the management network =D. BTW I got ipmitool working even on VMWare 5.1 :( Counter: We (PCIDSS hat) always check for those management interfaces and "proposed" to move those interfaces into they own VLANs+Subnets. Meaning: PCI DMZ Zone has its own DMZ iBMC VLAN/Subnet/FW Rules, PCI DB Zone has its own iBMC VLAN/Subnet/FW Rules, etc. It is a few more VLAN/Subnets... but modern Firewall can handle this easy. PS: "proposed" as in not giving them a choice =D ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 08/16/13 00:22, Kyle Creyts wrote:
just so we're all clear, SuperMicro wasn't the only one...
link: http://pastebin.com/syXHLuC5
1. CVE-2013-4782 CVSS Base Score = 10.0 2. The SuperMicro BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. 3. 4. CVE-2013-4783 CVSS Base Score = 10.0 5. The Dell iDRAC 6 BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. 6. 7. CVE-2013-4784 CVSS Base Score = 10.0 8. The HP Integrated Lights-Out (iLO) BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. 9. 10. CVE-2013-4785 CVSS Base Score = 10.0 11. iDRAC 6 firmware 1.7, and possibly other versions, allows remote attackers to modify the CLP interface for arbitrary users and possibly have other impact via a request to an unspecified form that is accessible from testurls.html. 12. 13. CVE-2013-4786 CVSS Base Score = 7.8 14. The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 responses from a BMC.
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4782 => http://fish2.com/ipmi/cipherzero.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4783 => http://fish2.com/ipmi/cipherzero.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4784 => http://fish2.com/ipmi/cipherzero.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4785 => http://fish2.com/ipmi/dell/secret.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4786 => http://fish2.com/ipmi/remote-pw-cracking.html
On Thu, Aug 15, 2013 at 6:00 PM, Jay Ashworth <jra@baylink.com> wrote:
Presumably, everyone else's are very religious as well.
Is anyone here stupid enough not to put the management interfaces behind a firewall/VPN?
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/14/researchers-fig...
And should I be nervous that Usenix pointed me *there* for the story, rather than a tech press outlet?
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274