Vulnerabilities > CVE-2013-4786 - Credentials Management vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
NONE Availability impact
NONE Summary
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| Application | 1 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Intelligent Platform Management Interface Information Disclosure Vulnerability. CVE-2013-4786. Remote exploits for multiple platform |
| id | EDB-ID:38633 |
| last seen | 2016-02-04 |
| modified | 2013-07-02 |
| published | 2013-07-02 |
| reporter | Dan Farmer |
| source | https://www.exploit-db.com/download/38633/ |
| title | Intelligent Platform Management Interface Information Disclosure Vulnerability |
Metasploit
| description | This module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300. |
| id | MSF:AUXILIARY/SCANNER/IPMI/IPMI_DUMPHASHES |
| last seen | 2020-04-30 |
| modified | 2018-09-15 |
| published | 2013-06-23 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb |
| title | IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval |
Nessus
| NASL family | General |
| NASL id | IPMI_PASSHASH_DISCLOSURE.NASL |
| description | The remote host supports IPMI v2.0. The Intelligent Platform Management Interface (IPMI) protocol is affected by an information disclosure vulnerability due to the support of RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication. A remote attacker can obtain password hash information for valid user accounts via the HMAC from a RAKP message 2 response from a BMC. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 80101 |
| published | 2014-12-18 |
| reporter | This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
| source | https://www.tenable.com/plugins/nessus/80101 |
| title | IPMI v2.0 Password Hash Disclosure |
References
- http://fish2.com/ipmi/remote-pw-cracking.html
- http://marc.info/?l=bugtraq&m=139653661621384&w=2
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi
- https://nvidia.custhelp.com/app/answers/detail/a_id/5010
- https://security.netapp.com/advisory/ntap-20190919-0005/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04197764