ID

VAR-201307-0421


CVE

CVE-2013-4786


TITLE

IPMI Vulnerability to get password hash in specification

Trust: 0.8

sources: JVNDB: JVNDB-2013-003252

DESCRIPTION

The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. Intelligent Platform Management Interface is prone to an information-disclosure vulnerability. Intelligent Platform Management Interface 2.0 is vulnerable; other versions may also be affected. , which provides the ability to monitor, control, and automatically report on the health of a large number of servers. There is a vulnerability in the RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication supported by the IPMI version 2.0 specification. HP Integrated Lights-Out 2, 3, and 4 (iLO2, iLO3, iLO4) BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-4786 (AV:N/AC:M/Au:S/C:C/I:C/A:C) 8.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION There is no resolution to this issue. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04197764 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04197764 Version: 2 HPSBHF02981 rev.2 - HPE Integrated Lights-Out 2, 3, 4 (iLO2, iLO3, iLO4) and HPE Superdome Flex RMC - IPMI 2.0 RCMP+ Authentication Remote Password Hash Vulnerability (RAKP) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2018-02-08 Last Updated: 2018-02-07 Potential Security Impact: Remote: Disclosure of Information Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HPE Integrated Lights-Out 2, 3, 4 (iLO2, iLO3, iLO4) and HPE Superdome Flex RMC. The vulnerability could be exploited to allow an attacker to gain unauthorized privileges and unauthorized access to privileged information. **Note:** - This vulnerability also impacts the RMC of the "Superdome Flex" Server. References: - CVE-2013-4786 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HPE Superdome Flex Server 1.0 - HPE Integrated Lights-Out 4 (iLO 4) Firmware for ProLiant Gen8 Servers - All, when IPMI is enabled - HPE Integrated Lights-Out 3 (iLO 3) Firmware for ProLiant G7 Servers - All, when IPMI is enabled - HPE Integrated Lights-Out 2 (iLO 2) Firmware for ProLiant G6 Servers - All, when IPMI is enabled BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2013-4786 8.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION There is no resolution to this issue. The authentication process for the IPMI 2.0 specification mandates that the server send a salted SHA1 or MD5 hash of the requested user's password to the client, prior to the client authenticating. The BMC returns the password hash for any valid user account requested. This password hash can be broken using an offline brute force or dictionary attack. Because this functionality is a key part of the IPMI 2.0 specification, there is no way to fix the problem without deviating from the IPMI 2.0 specification. HP recommends the following actions to mitigate the risk this introduces: 1. If you do not need to use IPMI, disable it. You can disable IPMI on iLO2/3/4 using the Disable IPMI over LAN command. 2. Maintain the latest iLO firmware that contains the most recent security patches. 3. Employ best practices in the management of the protocols and passwords on your systems and networks. Use strong passwords wherever possible. 4. If you must use IPMI, use a separate management LAN or VLAN, Access Control Lists (ACLs), or VPN to limit and restrict access to your iLO management interfaces. For Superdome Flex's RMC: * Refer to the below link for the details: <https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00026813en_us> HISTORY Version:1 (rev.1) - 1 April 2014 Initial release Version:2 (rev.2) - 7 February 2018 Include RMC of HPE Superdome Flex as an affected product Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJae19eAAoJELXhAxt7SZaiCHcIAIcbsq0qjJxbuj5bBTnPOQnN yVq6HDHoQf401UTZQj0rcL3TFkn7VlpsNza9D2q5wK6Zsq2cuMYAC482yzWRu5bR HJjXdNmtU0orrz4TnnWRffIUHt1zxFNhjNp9YbnTeoZ9kakW81G+ut7U7vDiK4z+ zubjasa3B33vdOJCBRoUdr6a6xhU4F530JYoBCI0frMjiMwjM+e3KUls0R/rrpIS FYIPbgCDki8+KAMBzIqKz47udyV0DX3Wl3URjaK5YMLqPpu/01GvrCa4QU87r6QS XI/foHXZ4Hb4ThCJP4WvZhHI0t3C3Xtyt4uJEKFzvftyp8sxmxxmElbO8NhLq8w= =NNZA -----END PGP SIGNATURE-----

Trust: 2.25

sources: NVD: CVE-2013-4786 // JVNDB: JVNDB-2013-003252 // BID: 61076 // VULHUB: VHN-64788 // VULMON: CVE-2013-4786 // PACKETSTORM: 126011 // PACKETSTORM: 146306

AFFECTED PRODUCTS

vendor:intelmodel:intelligent platform management interfacescope:eqversion:2.0

Trust: 2.4

vendor:oraclemodel:fujitsu m10scope:lteversion:2290

Trust: 1.0

vendor:oraclemodel:xcpscope:ltversion:2290 (fujitsu m10-1/m10-4/m10-4s server )

Trust: 0.8

sources: JVNDB: JVNDB-2013-003252 // CNNVD: CNNVD-201307-123 // NVD: CVE-2013-4786

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-4786
value: HIGH

Trust: 1.0

NVD: CVE-2013-4786
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201307-123
value: HIGH

Trust: 0.6

VULHUB: VHN-64788
value: HIGH

Trust: 0.1

VULMON: CVE-2013-4786
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2013-4786
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-64788
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2013-4786
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-64788 // VULMON: CVE-2013-4786 // JVNDB: JVNDB-2013-003252 // CNNVD: CNNVD-201307-123 // NVD: CVE-2013-4786

PROBLEMTYPE DATA

problemtype:CWE-255

Trust: 1.9

sources: VULHUB: VHN-64788 // JVNDB: JVNDB-2013-003252 // NVD: CVE-2013-4786

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201307-123

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201307-123

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-003252

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-64788 // VULMON: CVE-2013-4786

PATCH

title:Intelligent Platform Management Interfaceurl:http://www.intel.com/content/www/us/en/servers/ipmi/ipmi-home.html

Trust: 0.8

title:Text Form of Oracle Critical Patch Update - April 2016 Risk Matricesurl:http://www.oracle.com/technetwork/topics/security/cpuapr2016verbose-2881709.html

Trust: 0.8

title:Oracle Critical Patch Update Advisory - April 2016url:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Trust: 0.8

title:Oracle Critical Patch Update CVSS V2 Risk Matrices - April 2016url:http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html

Trust: 0.8

title:April 2016 Critical Patch Update Releasedurl:https://blogs.oracle.com/security/entry/april_2016_critical_patch_update

Trust: 0.8

title:Red Hat: CVE-2013-4786url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2013-4786

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - April 2016url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=122319027ae43d6d626710f1b1bb1d43

Trust: 0.1

title: - url:https://github.com/fin3ss3g0d/CosmicRakp

Trust: 0.1

sources: VULMON: CVE-2013-4786 // JVNDB: JVNDB-2013-003252

EXTERNAL IDS

db:NVDid:CVE-2013-4786

Trust: 3.1

db:JVNDBid:JVNDB-2013-003252

Trust: 0.8

db:CNNVDid:CNNVD-201307-123

Trust: 0.7

db:JVNDBid:JVNDB-2021-000002

Trust: 0.6

db:BIDid:61076

Trust: 0.4

db:PACKETSTORMid:126011

Trust: 0.2

db:PACKETSTORMid:146306

Trust: 0.2

db:EXPLOIT-DBid:38633

Trust: 0.2

db:VULHUBid:VHN-64788

Trust: 0.1

db:VULMONid:CVE-2013-4786

Trust: 0.1

sources: VULHUB: VHN-64788 // VULMON: CVE-2013-4786 // BID: 61076 // JVNDB: JVNDB-2013-003252 // PACKETSTORM: 126011 // PACKETSTORM: 146306 // CNNVD: CNNVD-201307-123 // NVD: CVE-2013-4786

REFERENCES

url:http://fish2.com/ipmi/remote-pw-cracking.html

Trust: 2.1

url:https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi

Trust: 2.1

url:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Trust: 1.8

url:https://nvidia.custhelp.com/app/answers/detail/a_id/5010

Trust: 1.8

url:https://security.netapp.com/advisory/ntap-20190919-0005/

Trust: 1.8

url:http://marc.info/?l=bugtraq&m=139653661621384&w=2

Trust: 1.7

url:https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-c04197764

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4786

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4786

Trust: 0.8

url:https://jvndb.jvn.jp/en/contents/2021/jvndb-2021-000002.html

Trust: 0.6

url:http://www.intel.com/content/www/us/en/servers/ipmi/ipmi-home.html

Trust: 0.3

url:http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html

Trust: 0.3

url:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04197764

Trust: 0.3

url:http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2013-4786

Trust: 0.2

url:https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&amp;docid=emr_na-c04197764

Trust: 0.1

url:http://marc.info/?l=bugtraq&amp;m=139653661621384&amp;w=2

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/255.html

Trust: 0.1

url:https://github.com/fin3ss3g0d/cosmicrakp

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.exploit-db.com/exploits/38633/

Trust: 0.1

url:https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes

Trust: 0.1

url:http://tools.cisco.com/security/center/viewalert.x?alertid=44733

Trust: 0.1

url:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/

Trust: 0.1

url:http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Trust: 0.1

url:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secbullarchive/

Trust: 0.1

url:http://www.hpe.com/support/security_bulletin_archive

Trust: 0.1

url:https://www.hpe.com/info/report-security-vulnerability

Trust: 0.1

url:https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c01345499

Trust: 0.1

url:https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c04197764

Trust: 0.1

url:http://www.hpe.com/support/subscriber_choice

Trust: 0.1

url:https://support.hpe.com/hpsc/doc/public/display?docid=emr_na-a00026813en_us>

Trust: 0.1

sources: VULHUB: VHN-64788 // VULMON: CVE-2013-4786 // BID: 61076 // JVNDB: JVNDB-2013-003252 // PACKETSTORM: 126011 // PACKETSTORM: 146306 // CNNVD: CNNVD-201307-123 // NVD: CVE-2013-4786

CREDITS

Dan Farmer

Trust: 0.3

sources: BID: 61076

SOURCES

db:VULHUBid:VHN-64788
db:VULMONid:CVE-2013-4786
db:BIDid:61076
db:JVNDBid:JVNDB-2013-003252
db:PACKETSTORMid:126011
db:PACKETSTORMid:146306
db:CNNVDid:CNNVD-201307-123
db:NVDid:CVE-2013-4786

LAST UPDATE DATE

2024-08-14T13:43:39.488000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-64788date:2020-10-29T00:00:00
db:VULMONid:CVE-2013-4786date:2020-10-29T00:00:00
db:BIDid:61076date:2016-07-06T14:29:00
db:JVNDBid:JVNDB-2013-003252date:2016-05-31T00:00:00
db:CNNVDid:CNNVD-201307-123date:2022-03-21T00:00:00
db:NVDid:CVE-2013-4786date:2020-10-29T00:15:12.113

SOURCES RELEASE DATE

db:VULHUBid:VHN-64788date:2013-07-08T00:00:00
db:VULMONid:CVE-2013-4786date:2013-07-08T00:00:00
db:BIDid:61076date:2013-07-02T00:00:00
db:JVNDBid:JVNDB-2013-003252date:2013-07-10T00:00:00
db:PACKETSTORMid:126011date:2014-04-03T22:22:00
db:PACKETSTORMid:146306date:2018-02-08T23:44:00
db:CNNVDid:CNNVD-201307-123date:2013-07-09T00:00:00
db:NVDid:CVE-2013-4786date:2013-07-08T22:55:01.217