Vulnerabilities > CVE-2014-8272

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
dell
intel
nessus
exploit available
NVD
Published: 2014-12-19
Updated: 2015-02-05

Summary

The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack. <a href="http://cwe.mitre.org/data/definitions/330.html">CWE-330: Use of Insufficiently Random Values</a>

Vulnerable Configurations

Part Description Count
Application
Dell
3
Application
Intel
1

Exploit-Db

descriptionDell iDRAC IPMI 1.5 - Insufficient Session ID Randomness. CVE-2014-8272. Webapps exploit for hardware platform
fileexploits/hardware/webapps/35770.py
idEDB-ID:35770
last seen2016-02-04
modified2015-01-13
platformhardware
port623
published2015-01-13
reporterYong Chuan, Koh
sourcehttps://www.exploit-db.com/download/35770/
titleDell iDRAC IPMI 1.5 - Insufficient Session ID Randomness
typewebapps

Nessus

NASL familyCGI abuses
NASL idDRAC_IPMI_CMD_INJ.NASL
descriptionThe remote host is running a version of iDRAC that ships with a version of IPMI that does not sufficiently randomize session ID values. An unauthenticated, remote attacker can exploit this to inject arbitrary commands into a privileged session.
last seen2020-06-01
modified2020-06-02
plugin id80442
published2015-01-09
reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/80442
titleDell iDRAC Products IPMI Arbitrary Command Injection Vulnerability
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(80442);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/25");

  script_cve_id("CVE-2014-8272");
  script_bugtraq_id(71750);
  script_xref(name:"CERT", value:"843044");
  script_xref(name:"EDB-ID", value:"35770");

  script_name(english:"Dell iDRAC Products IPMI Arbitrary Command Injection Vulnerability");
  script_summary(english:"Checks the iDRAC version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by an arbitrary command injection
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of iDRAC that ships with a
version of IPMI that does not sufficiently randomize session ID
values. An unauthenticated, remote attacker can exploit this to inject
arbitrary commands into a privileged session.");
  script_set_attribute(attribute:"see_also", value:"https://www.kb.cert.org/vuls/id/843044/");
  script_set_attribute(attribute:"solution", value:
"See the advisory for links to vendor patches.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-8272");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/12/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/09");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:intel:ipmi");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:dell:remote_access_card");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:dell:idrac6");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:dell:idrac7");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("drac_detect.nasl");
  script_require_keys("installed_sw/iDRAC");
  script_require_ports("Services/www", 443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "iDRAC";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:443, embedded:TRUE);

install = get_single_install(
  app_name : app,
  port     : port,
  exit_if_unknown_ver : TRUE
);

dir = install['path'];
version = install['version'];
fw_version = install['Firmware Version'];
install_url = build_url(port:port, qs:dir);

if (version !~ "^(6|7)")
  audit(AUDIT_WRONG_WEB_SERVER, port, "iDRAC6 / iDRAC7 and therefore is not affected");

fix = '';

if(version =~ "^6($|\.)" &&
   fw_version =~ "^3\." &&
   ver_compare(ver:fw_version, fix:'3.65', strict:FALSE) == -1)
  fix = '3.65';

else if(version =~ "^6($|\.)" &&
        fw_version =~ "^1\." &&
        ver_compare(ver:fw_version, fix:'1.98', strict:FALSE) == -1)
  fix = '1.98';

else if(version =~ "^7($|\.)" &&
        fw_version =~ "^1\." &&
        ver_compare(ver:fw_version, fix:'1.57.57', strict:FALSE) == -1)
  fix = '1.57.57';

if(fix != '')
{
  items = make_array(
    "URL", install_url,
    "iDRAC version", version,
    "Firmware version", fw_version,
    "Fixed version", fix
  );
  order = make_list("URL","iDRAC version","Firmware version","Fixed version");
  report = report_items_str(report_items:items, ordered_fields:order);

  security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);
  exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app + version, install_url, fw_version);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/129952/dellidrac-randomness.txt
idPACKETSTORM:129952
last seen2016-12-05
published2015-01-14
reporterYong Chuan Koh
sourcehttps://packetstormsecurity.com/files/129952/Dell-iDRAC-IPMI-1.5-Insufficient-Session-ID-Randomness.html
titleDell iDRAC IPMI 1.5 Insufficient Session ID Randomness

Seebug

bulletinFamilyexploit
description<p><b>关于 IPMI:</b></p><p>智能平台管理接口 (IPMI) 是一种开放标准的硬件管理接口规格,定义了嵌入式管理子系统进行通信的特定方法。IPMI 信息通过基板管理控制器 (BMC)(位于 IPMI 规格的硬件组件上)进行交流。IPMI是智能型平台管理接口(Intelligent Platform Management Interface)的缩写,是管理基于 Intel结构的企业系统中所使用的外围设备采用的一种工业标准,该标准由英特尔、惠普、NEC、美国戴尔电脑和SuperMicro等公司制定。具体请看:<a href="http://baike.baidu.com/view/1595174.htm">http://baike.baidu.com/view/1595174.htm</a></p><p>简单来说了,有了IPMI这个东西,用户可以利用IPMI监视服务器的物理健康特征,如温度、电压、风扇工作状态、电源状态等,更重要的是可以装系统、开关机、查看操作服务器屏幕输出,就好比站在服务器面前。</p><p><b>IPMI 漏洞:</b></p><p>PMI服务通常运行于 623/udp 端口,最近一个新的 IPMI 漏洞被披露:&nbsp;<a href="https://labs.mwrinfosecurity.com/blog/2015/01/08/cve-2014-8272/" target="_blank">CVE-2014-8272:A Case of Weak Session-ID in Dell iDRAC</a>&nbsp;。</p><p>除了这个漏洞外,IPMI 还有若干个相关漏洞:</p><ul><li><a href="https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi" target="_blank">A Penetration Tester's Guide to IPMI and BMCs</a>: 这是一篇 rapid7.com 上的文章。</li><li><a href="http://blog.knownsec.com/2014/06/supermicro-ipmi-49152-port-password-leak/" target="_blank">Supermicro IPMI 49152 端口密码泄漏漏洞</a>:这个漏洞我们在 2014 年 06 月进行过报道。</li></ul><p>根据&nbsp;<a href="https://labs.mwrinfosecurity.com/blog/2015/01/08/cve-2014-8272/" target="_blank">A Case of Weak Session-ID in Dell iDRAC</a>&nbsp;里给出的&nbsp;<a href="https://labs.mwrinfosecurity.com/system/assets/833/original/cve-2014-8272_public.py" target="_blank">POC</a>&nbsp;来看,CVE-2014-8272 漏洞很难批量检测。但在 POC 里若不指定 IPMI 用户名和密码的话,程序会使用默认密码进行检测。所以我们计划进行一次全球检测,以评估全球使用默认密码或者密码容易泄漏的服务器数量。这里我们主要关注 2 个漏洞:</p><ul><li>Supermicro IPMI 49152 端口密码泄漏漏洞:这个漏洞我们在 2014 年 06 月进行过检测,这次我们再次进行检测以评估多少服务器修复了这个漏洞。</li><li>使用了如下已知 IPMI 默认账户:</li></ul><table><colgroup><col width="NaN%"><col width="NaN%"><col width="NaN%"></colgroup><tbody><tr><td>产品名称</td><td>默认用户名</td><td>默认密码</td></tr><tr><td>Supermicro IPMI (2.0)&nbsp;<br></td><td>ADMIN</td><td>ADMIN</td></tr><tr><td>Oracle/Sun Integrated Lights Out Manager (ILOM)<br></td><td>root</td><td>changeme<br></td></tr><tr><td>BM Integrated Management Module (IMM)&nbsp;<br></td><td>USERID<br></td><td>PASSW0RD (with a zero)<br></td></tr><tr><td>HP Integrated Lights Out (iLO)<br></td><td>Administrator<br></td><td>(null)<br></td></tr><tr><td>Fujitsu Integrated Remote Management Controller<br></td><td>admin</td><td>admin<br><br></td></tr><tr><td>Dell Remote Access Card (iDRAC, DRAC) <br></td><td>root</td><td>calvin</td></tr><tr><td>ASUS iKVM BMC<br></td><td>admin</td><td>admin</td></tr></tbody></table><p>举例:</p><p>攻击者可以通过请求服务器49152端口的/PSBlock文件,就可得到80端口web管理界面的密码,密码放在PSBlock文件中,例如:<a href="http://69.73." rel="nofollow">http://69.73.</a><a href="http://69.73."></a>*.*:49152/PSBlock。再访问<a href="http://69.73." rel="nofollow">http://69.73.</a><a href="http://69.73."></a>*.*/登录管理。</p><p>ZoomEye感知:</p><ul><li>Supermicro IPMI 49152 端口密码泄漏漏洞:<br><ul><li>2014 年 06 月 27 日:11,700&nbsp;个服务器存在漏洞。</li><li>2015 年 01 月 22 日:1,725&nbsp;个服务器存在漏洞。</li></ul></li><li>IPMI脆弱帐号统计(包括 Supermicro IPMI 49152 端口密码泄漏漏洞), 截止至 2015 年 01 月 22 日&nbsp;</li></ul><table><colgroup><col width="33.285917496443815%"><col width="33.285917496443815%"><col width="33.57041251778094%"></colgroup><tbody><tr><td>产品名称</td><td>漏洞类型</td><td>数量</td></tr><tr><td>Supermicro IPMI (2.0)<br></td><td>使用默认帐号,但不存在 49152 端口密码泄漏漏洞<br></td><td>3125</td></tr><tr><td>Supermicro IPMI (2.0)<br></td><td>49152 端口密码泄漏漏洞<br></td><td>1725</td></tr><tr><td>Dell Remote Access Card (iDRAC, DRAC)<br></td><td>使用默认帐号<br></td><td>636</td></tr><tr><td>Fujitsu Integrated Remote Management Controller / ASUS iKVM BMC<br></td><td>使用默认帐号<br></td><td>533</td></tr><tr><td>IBM Integrated Management Module (IMM)<br></td><td>使用默认帐号<br></td><td>115</td></tr><tr><td>Oracle/Sun Integrated Lights Out Manager (ILOM)<br></td><td>使用默认帐号<br></td><td>41</td></tr><tr><td>HP Integrated Lights Out (iLO)<br></td><td>使用默认帐号<br></td><td>22</td></tr></tbody></table><p><br></p><p>危害:</p><p>攻击者不需要认证即可获取管理密码,从而登录IPMI管理页面,这个后台拥有操作服务器的最高权限——重装系统,其后果可想而知。</p>
idSSV:88846
last seen2017-11-19
modified2014-09-12
published2014-09-12
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-88846
titleSupermicro Onboard IPMI Port 49152 敏感文件泄露漏洞

References