Authentication Bypass Vulnerability in IPMI 2.0 RAKP through the use of cipher zero

CVE-2013-4782 (bmc)

Vulnerability Summary for CVE-2013-4782
Original release date:07/08/2013
Last revised:07/09/2013
Source:
US-CERT/NIST

Overview
The Supermicro BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password.

CVSS Severity (version 2.0):
CVSS v2 Base Score:10.0 (HIGH)
Impact Subscore:
10.0
Exploitability Subscore:
10.0

CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

References to Advisories, Solutions, and Tools
External Source: MLIST
Name: [Freeipmi-devel] 20130222 The Infamous Cipher Zero, I presume?
Hyperlink: https://lists.gnu.org/archive/html/freeipmi-devel/2013-02/msg00013….

External Source: MISC
Name: http://www.wired.com/threatlevel/2013/07/ipmi/
Hyperlink: http://www.wired.com/threatlevel/2013/07/ipmi/

External Source: MISC
Name: http://www.metasploit.com/modules/auxiliary/scanner/ipmi/ipmi_ciphe…
Hyperlink: http://www.metasploit.com/modules/auxiliary/scanner/ipmi/ipmi_ciphe…

External Source: OSVDB
Name: 93038
Hyperlink: http://osvdb.org/show/osvdb/93038

External Source: MISC
Name: http://fish2.com/ipmi/cipherzero.html
Hyperlink: http://fish2.com/ipmi/cipherzero.html

CVE-2013-4786 (intelligent_platform_management_interface)

Vulnerability Summary for CVE-2013-4786
Original release date:07/08/2013
Last revised:07/09/2013
Source:
US-CERT/NIST

Overview
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.

CVSS Severity (version 2.0):
CVSS v2 Base Score:7.8 (HIGH)
Impact Subscore:
6.9
Exploitability Subscore:
10.0

CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type:Allows unauthorized disclosure of information

References to Advisories, Solutions, and Tools
External Source: MISC
Name: https://community.rapid7.com/community/metasploit/blog/2013/07/02/a…
Hyperlink: https://community.rapid7.com/community/metasploit/blog/2013/07/02/a…

External Source: MISC
Name: http://fish2.com/ipmi/remote-pw-cracking.html
Hyperlink: http://fish2.com/ipmi/remote-pw-cracking.html