BMC software fails to validate IPMI session.

Overview

The Intelligent Platform Management Interface (IPMI) implementations in multiple manufacturer’s Baseboard Management Controller (BMC) software are vulnerable to IPMI session hijacking. An attacker with access to the BMC network (with IPMI enabled) can abuse the lack of session integrity to hijack sessions and execute arbitrary IPMI commands on the BMC.

Description

IPMI is a computer interface specification that provides a low-level management capability independent of hardware, firmware, or operating system. IPMI is supported by many BMC manufacturers to allow for transparent access to hardware. IPMI also supports pre-boot capabilities of a computer such as selection of boot media and boot environment. BMCs are recommended to be accessible via dedicated internal networks to avoid risk of exposure.

IPMI sessions between a client and a BMC follow the RAKP key exchange protocol, as specified in the IPMI 2.0 specification. This involves a session ID and a BMC random number to uniquely identify an IPMI session. The security researcher, who wishes to remain anonymous, has attempted to disclose two vulnerabilities related to BMC software and session management. The first vulnerability identifies the use of weak randomization while interacting with a BMC using IPMI sessions. The researcher discovered that if both the IPMI session ID and BMC’s random number are predictable or constant, an attacker can either hijack a session or replay a session without knowing the password that was set to protect the BMC. The second vulnerability from the reporter identifies certain cases where the BMC software fails to enforce previously negotiated IPMI 2.0 session parameters, allowing an attacker to either downgrade or disable session verification. Due to the reuse of software or libraries, these vulnerabilities may be present in multiple models of BMC. It is recommended that sufficient precaution is taken in protecting datacenters and cloud installations with multiple servers to protect IPMI session interaction using both the software updates and the recommendations to secure and isolate the networks where IPMI is accessible.

Impact

An unauthenticated attacker with access to the BMC network can predict IPMI session IDs and/or BMC random numbers to replay a previous session or hijack an IPMI session. This can allow the attacker to inject arbitrary commands into the BMC and be able to perform high-privileged functions (reboot, power-off, re-image of the machine) that are available to the BMC.

Solution

Apply an update

Please consult the Vendor Information section for information provided by BMC vendors to address these vulnerabilities.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks to the BMC network that exposes the IPMI enabled interface.

Acknowledgements

Thanks to the security researcher who would like to remain anonymous for researching and reporting these vulnerabilities.

This document was written by Ben Koo.

Vendor Information

163057

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

American Megatrends Incorporated (AMI) __ Affected

Notified: 2023-01-17 Updated: 2024-05-17

Statement Date: May 14, 2024

CVE-2023-28863	Affected
CVE-2024-3411	Unknown Vendor Statement:
Not reproducible

Microsoft __ Affected

Notified: 2023-12-08 Updated: 2024-04-30

Statement Date: January 04, 2024

CVE-2023-28863	Affected
Vendor Statement:
Microsoft will consume the Patch released by AMI https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security Advisories/AMI-SA-2023003.pdf
CVE-2024-3411	Not Affected Vendor Statement:
Microsoft implementation is built on AMI and since AMI is not vulnerable to this issue, no impact on Microsoft.

AMD Not Affected

Notified: 2023-12-14 Updated: 2024-04-30

Statement Date: March 15, 2024

CVE-2023-28863	Not Affected
CVE-2024-3411	Not Affected

Vendor Statement

We have not received a statement from the vendor.

Cisco __ Not Affected

Notified: 2023-12-08 Updated: 2024-04-30

Statement Date: April 10, 2024

CVE-2023-28863	Not Affected
CVE-2024-3411	Not Affected Vendor Statement:
If the IPMI over LAN feature is manually enabled, Cisco UCS does use “predictable session IDs” for IPMI authenticated sessions, however BMC Random Numbers are correctly enforced with sufficient randomness. Cisco is not aware of any way to use a “predictable session ID” alone in order to execute the type of attacks described in this report against Cisco UCS. The IPMI over LAN feature is disabled by default and recommended to be kept disabled.

Intel __ Not Affected

Notified: 2023-12-08 Updated: 2024-04-30

Statement Date: January 25, 2024

CVE-2023-28863	Not Affected
CVE-2024-3411	Not Affected

Vendor Statement

Intel is not affected

Supermicro __ Not Affected

Notified: 2023-01-17 Updated: 2024-04-30

Statement Date: March 10, 2023

CVE-2023-28863	Not Affected
Vendor Statement:
not affected
CVE-2024-3411	Not Affected

Toshiba Corporation Not Affected

Notified: 2023-12-14 Updated: 2024-04-30

Statement Date: March 07, 2024

CVE-2023-28863	Not Affected
CVE-2024-3411	Not Affected

Vendor Statement

We have not received a statement from the vendor.

Acer Unknown

Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

Amazon Unknown

Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

ARM Limited Unknown

Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

ASUSTeK Computer Inc. Unknown

Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell Unknown

Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

Fujitsu Europe Unknown

Notified: 2023-12-08 Updated: 2024-05-06

Statement Date: May 03, 2024

CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

Gamma Tech Computer Corp. Unknown

Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

GETAC Inc. Unknown

Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

Hewlett Packard Enterprise Unknown

Notified: 2023-01-17 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

HP Inc. Unknown

Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

Hyve Solutions Unknown

Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Unknown

Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

Lenovo Unknown

Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

Micron Unknown

Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

NVIDIA Unknown

Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

Quanta Grid Unknown

Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

ReactOS Unknown

Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

Star Labs Online Limited Unknown

Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

Tyan Unknown

Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

VAIO Corporation Unknown

Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

ZTsystems Unknown

Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863	Unknown
CVE-2024-3411	Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 29 vendors __View less vendors __

References

• <https://nvd.nist.gov/vuln/detail/CVE-2023-28863&gt;
• <https://www.cisa.gov/news-events/alerts/2013/07/26/risks-using-intelligent-platform-management-interface-ipmi&gt;
• <https://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/ipmi-second-gen-interface-spec-v2-rev1-1.pdf&gt;
• <https://www.kb.cert.org/vuls/id/843044&gt;
• <https://nvd.nist.gov/vuln/detail/cve-2013-4786&gt;

Other Information

CVE IDs:	CVE-2023-28863 CVE-2024-3411
API URL:	VINCE JSON
Date Public:	2024-04-30 Date First Published: