Date: Wed, 23 Nov 2022 16:27:29 +0000
From: "Julien Ahrens (RCE Security)" <info@...security.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] [CVE-2022-33942] Intel Data Center Manager Console <= 4.1.1.45749 ”UserMgmtHandler" Authentication Logic Error Leading to Authentication Bypass

RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product:        Intel Data Center Manager
Vendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html
Type:           Authentication Bypass by Spoofing [CWE-290]
Date found:     2022-06-01
Date published: 2022-11-23
CVSSv3 Score:   10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE:            CVE-2022-33942


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
Intel Data Center Manager 4.1.1.45749 and below


4. INTRODUCTION
===============
Energy costs are the fastest rising expense for today’s data centers. Intel® Data
Center Manager (Intel® DCM) provides real-time power and thermal consumption data,
giving you the clarity you need to lower power usage, increase rack density, and
prolong operation during outages.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The application allows configuring authentication via Active Directory groups. While
this by itself isn't an issue, it becomes one as soon as an Active Directory group
with a well-known SID (such as "S-1-5-32-544" or "S-1-5-32-546") is configured to
allow authentication to DCM. This is because Intel's DCM only relies on the group's
SID to allow authentication but doesn't verify the authenticating domain, which the
user can give during the authentication process against the DCM Console and its REST
interface.

Since the DCM will send all Kerberos and LDAP (authentication) requests against the
given domain, it is trivially easy to spoof the authentication responses by using an
arbitrary Kerberos and LDAP server and replying with the SID of one of the configured
Active Directory groups.

This allows an attacker to bypass the authentication schema by using any domain
with any user/password combination without actually being part of any Active Directory
groups.


6. PROOF OF CONCEPT
===================
See the referenced blog post for a full exploit.


7. SOLUTION
===========
Update to Intel DCM 5.0 or later


8. REPORT TIMELINE
==================
2022-06-01: Discovery of the vulnerability
2022-06-28: Sent notification to Intel via their PSIRT
2022-06-28: Vendor response: Sent to appropriate reviewers.
2022-06-29: Vendor acknowledges the vulnerability and asks for coordinated disclosure on Nov. 8, 2022
2022-06-30: Rejected the disclosure date, due to my own policy, which makes it: August 13, 2022
2022-07-08: After a vendor call, I've submitted the issue through Intel's bug bounty program
2022-xx-xx: Vendor releases version 5.0 without any notification which fixes this vulnerability
2022-11-08: Vendor (responsible CNA) assigns CVE-2022-33942
2022-11-08: Vendor publishes security advisory INTEL-SA-00713
2022-11-23: Public disclosure


9. REFERENCES
=============
https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-by-spoofing-kerberos-and-ldap-responses-cve-2022-33942
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00713.html
https://github.com/MrTuxracer/advisories

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists