Vulnerabilities > CVE-2013-4786 - Credentials Management vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
oracle
intel
CWE-255
nessus
exploit available
metasploit

Summary

The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.

Vulnerable Configurations

Part Description Count
OS
Oracle
1
Application
Intel
1

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionIntelligent Platform Management Interface Information Disclosure Vulnerability. CVE-2013-4786. Remote exploits for multiple platform
idEDB-ID:38633
last seen2016-02-04
modified2013-07-02
published2013-07-02
reporterDan Farmer
sourcehttps://www.exploit-db.com/download/38633/
titleIntelligent Platform Management Interface Information Disclosure Vulnerability

Metasploit

descriptionThis module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.
idMSF:AUXILIARY/SCANNER/IPMI/IPMI_DUMPHASHES
last seen2020-04-30
modified2018-09-15
published2013-06-23
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
titleIPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval

Nessus

NASL familyGeneral
NASL idIPMI_PASSHASH_DISCLOSURE.NASL
descriptionThe remote host supports IPMI v2.0. The Intelligent Platform Management Interface (IPMI) protocol is affected by an information disclosure vulnerability due to the support of RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication. A remote attacker can obtain password hash information for valid user accounts via the HMAC from a RAKP message 2 response from a BMC.
last seen2020-06-01
modified2020-06-02
plugin id80101
published2014-12-18
reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/80101
titleIPMI v2.0 Password Hash Disclosure