Sign-up

ID

VAR-202211-0866


CVE

CVE-2022-33942


TITLE

Intel Data Center Manager Security hole

Trust: 0.6

sources: CNNVD: CNNVD-202211-2595

DESCRIPTION

Protection mechanism failure in the Intel(R) DCM software before version 5.0 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Intel Data Center Manager Vendor URL: https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html Type: Authentication Bypass by Spoofing [CWE-290] Date found: 2022-06-01 Date published: 2022-11-23 CVSSv3 Score: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVE: CVE-2022-33942 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Intel Data Center Manager 4.1.1.45749 and below 4. INTRODUCTION =============== Energy costs are the fastest rising expense for today’s data centers. Intel® Data Center Manager (Intel® DCM) provides real-time power and thermal consumption data, giving you the clarity you need to lower power usage, increase rack density, and prolong operation during outages. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The application allows configuring authentication via Active Directory groups. While this by itself isn't an issue, it becomes one as soon as an Active Directory group with a well-known SID (such as "S-1-5-32-544" or "S-1-5-32-546") is configured to allow authentication to DCM. This is because Intel's DCM only relies on the group's SID to allow authentication but doesn't verify the authenticating domain, which the user can give during the authentication process against the DCM Console and its REST interface. Since the DCM will send all Kerberos and LDAP (authentication) requests against the given domain, it is trivially easy to spoof the authentication responses by using an arbitrary Kerberos and LDAP server and replying with the SID of one of the configured Active Directory groups. This allows an attacker to bypass the authentication schema by using any domain with any user/password combination without actually being part of any Active Directory groups. 6. PROOF OF CONCEPT =================== See the referenced blog post for a full exploit. 7. SOLUTION =========== Update to Intel DCM 5.0 or later 8. REPORT TIMELINE ================== 2022-06-01: Discovery of the vulnerability 2022-06-28: Sent notification to Intel via their PSIRT 2022-06-28: Vendor response: Sent to appropriate reviewers. 2022-06-29: Vendor acknowledges the vulnerability and asks for coordinated disclosure on Nov. 8, 2022 2022-06-30: Rejected the disclosure date, due to my own policy, which makes it: August 13, 2022 2022-07-08: After a vendor call, I've submitted the issue through Intel's bug bounty program 2022-xx-xx: Vendor releases version 5.0 without any notification which fixes this vulnerability 2022-11-08: Vendor (responsible CNA) assigns CVE-2022-33942 2022-11-08: Vendor publishes security advisory INTEL-SA-00713 2022-11-23: Public disclosure 9. REFERENCES ============= https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-by-spoofing-kerberos-and-ldap-responses-cve-2022-33942 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00713.html https://github.com/MrTuxracer/advisories

Trust: 1.08

sources: NVD: CVE-2022-33942 // VULHUB: VHN-426130 // PACKETSTORM: 170065

AFFECTED PRODUCTS

vendor:intelmodel:data center managerscope:ltversion:5.0

Trust: 1.0

sources: NVD: CVE-2022-33942

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-33942
value: HIGH

Trust: 1.0

secure@intel.com: CVE-2022-33942
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202211-2595
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-33942
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

secure@intel.com: CVE-2022-33942
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 6.0
version: 3.1

Trust: 1.0

sources: CNNVD: CNNVD-202211-2595 // NVD: CVE-2022-33942 // NVD: CVE-2022-33942

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2022-33942

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202211-2595

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202211-2595

EXPLOIT AVAILABILITY

sources:
            
            
            VULHUB: VHN-426130

PATCH
title:Intel Data Center Manager Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=214643
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202211-2595

EXTERNAL IDS
db:NVDid:CVE-2022-33942
Trust: 1.8
db:PACKETSTORMid:170065
Trust: 0.8
db:AUSCERTid:ESB-2022.5843.2
Trust: 0.6
db:AUSCERTid:ESB-2022.5843
Trust: 0.6
db:CXSECURITYid:WLB-2022120005
Trust: 0.6
db:CNNVDid:CNNVD-202211-2595
Trust: 0.6
db:VULHUBid:VHN-426130
Trust: 0.1
sources:
            
            
            VULHUB: VHN-426130 // 
            
            
            
            PACKETSTORM: 170065 // 
            
            
            
            CNNVD: CNNVD-202211-2595 // 
            
            
            
            NVD: CVE-2022-33942

REFERENCES
url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00713.html
Trust: 1.8
url:https://cxsecurity.com/issue/wlb-2022120005
Trust: 0.6
url:https://packetstormsecurity.com/files/170065/intel-data-center-manager-4.1.1.45749-authentication-bypass-spoofing.html
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2022.5843
Trust: 0.6
url:https://cxsecurity.com/cveshow/cve-2022-33942/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2022.5843.2
Trust: 0.6
url:https://github.com/mrtuxracer/advisories
Trust: 0.1
url:https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html
Trust: 0.1
url:https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-by-spoofing-kerberos-and-ldap-responses-cve-2022-33942
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2022-33942
Trust: 0.1
url:https://www.rcesecurity.com
Trust: 0.1
sources:
            
            
            VULHUB: VHN-426130 // 
            
            
            
            PACKETSTORM: 170065 // 
            
            
            
            CNNVD: CNNVD-202211-2595 // 
            
            
            
            NVD: CVE-2022-33942

CREDITS
Julien Ahrens
Trust: 0.7
sources:
            
            
            PACKETSTORM: 170065 // 
            
            
            
            CNNVD: CNNVD-202211-2595

SOURCES
db:VULHUBid:VHN-426130
db:PACKETSTORMid:170065
db:CNNVDid:CNNVD-202211-2595
db:NVDid:CVE-2022-33942

LAST UPDATE DATE
2024-08-14T15:11:12.335000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-426130date:2022-11-17T00:00:00
db:CNNVDid:CNNVD-202211-2595date:2023-03-28T00:00:00
db:NVDid:CVE-2022-33942date:2022-11-17T15:01:31.323

SOURCES RELEASE DATE
db:VULHUBid:VHN-426130date:2022-11-11T00:00:00
db:PACKETSTORMid:170065date:2022-11-30T20:48:27
db:CNNVDid:CNNVD-202211-2595date:2022-11-11T00:00:00
db:NVDid:CVE-2022-33942date:2022-11-11T16:15:15.097