CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
96.9%
The Intelligent Platform Management Interface (IPMI) implementations in multiple manufacturer’s Baseboard Management Controller (BMC) software are vulnerable to IPMI session hijacking. An attacker with access to the BMC network (with IPMI enabled) can abuse the lack of session integrity to hijack sessions and execute arbitrary IPMI commands on the BMC.
IPMI is a computer interface specification that provides a low-level management capability independent of hardware, firmware, or operating system. IPMI is supported by many BMC manufacturers to allow for transparent access to hardware. IPMI also supports pre-boot capabilities of a computer such as selection of boot media and boot environment. BMCs are recommended to be accessible via dedicated internal networks to avoid risk of exposure.
IPMI sessions between a client and a BMC follow the RAKP key exchange protocol, as specified in the IPMI 2.0 specification. This involves a session ID and a BMC random number to uniquely identify an IPMI session. The security researcher, who wishes to remain anonymous, has attempted to disclose two vulnerabilities related to BMC software and session management. The first vulnerability identifies the use of weak randomization while interacting with a BMC using IPMI sessions. The researcher discovered that if both the IPMI session ID and BMC’s random number are predictable or constant, an attacker can either hijack a session or replay a session without knowing the password that was set to protect the BMC. The second vulnerability from the reporter identifies certain cases where the BMC software fails to enforce previously negotiated IPMI 2.0 session parameters, allowing an attacker to either downgrade or disable session verification. Due to the reuse of software or libraries, these vulnerabilities may be present in multiple models of BMC. It is recommended that sufficient precaution is taken in protecting datacenters and cloud installations with multiple servers to protect IPMI session interaction using both the software updates and the recommendations to secure and isolate the networks where IPMI is accessible.
An unauthenticated attacker with access to the BMC network can predict IPMI session IDs and/or BMC random numbers to replay a previous session or hijack an IPMI session. This can allow the attacker to inject arbitrary commands into the BMC and be able to perform high-privileged functions (reboot, power-off, re-image of the machine) that are available to the BMC.
Please consult the Vendor Information section for information provided by BMC vendors to address these vulnerabilities.
As a general good security practice, only allow connections from trusted hosts and networks to the BMC network that exposes the IPMI enabled interface.
Thanks to the security researcher who would like to remain anonymous for researching and reporting these vulnerabilities.
This document was written by Ben Koo.
163057
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2023-01-17 Updated: 2024-05-17
Statement Date: May 14, 2024
CVE-2023-28863 | Affected |
---|---|
CVE-2024-3411 | Unknown Vendor Statement: |
Not reproducible |
Notified: 2023-12-08 Updated: 2024-08-23
Statement Date: August 23, 2024
CVE-2023-28863 | Affected |
---|---|
CVE-2024-3411 | Affected |
Fujitsu is aware of the vulnerabilities in IPMI and AMI MegaRAC SPx.
Affected products are Fujitsu CCD (Client Computing Devices), as well as datacenter server and storage devices.
The Fujitsu PSIRT (Europe) released FJ-ISS-2024-041000 on https://security.ts.fujitsu.com (Security Notices) accordingly; see https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-FJ-ISS-2024-041000-Security-Notice.pdf
In case of questions regarding this Fujitsu PSIRT security notice, please contact the Fujitsu PSIRT (Europe) ([email protected]).
Notified: 2023-12-08 Updated: 2024-04-30
Statement Date: January 04, 2024
CVE-2023-28863 | Affected |
---|---|
Vendor Statement: | |
Microsoft will consume the Patch released by AMI https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security Advisories/AMI-SA-2023003.pdf | |
CVE-2024-3411 | Not Affected Vendor Statement: |
Microsoft implementation is built on AMI and since AMI is not vulnerable to this issue, no impact on Microsoft. |
Notified: 2023-12-14 Updated: 2024-04-30
Statement Date: March 15, 2024
CVE-2023-28863 | Not Affected |
---|---|
CVE-2024-3411 | Not Affected |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30
Statement Date: April 10, 2024
CVE-2023-28863 | Not Affected |
---|---|
CVE-2024-3411 | Not Affected Vendor Statement: |
If the IPMI over LAN feature is manually enabled, Cisco UCS does use “predictable session IDs” for IPMI authenticated sessions, however BMC Random Numbers are correctly enforced with sufficient randomness. Cisco is not aware of any way to use a “predictable session ID” alone in order to execute the type of attacks described in this report against Cisco UCS. The IPMI over LAN feature is disabled by default and recommended to be kept disabled. |
Notified: 2023-12-08 Updated: 2024-04-30
Statement Date: January 25, 2024
CVE-2023-28863 | Not Affected |
---|---|
CVE-2024-3411 | Not Affected |
Intel is not affected
Notified: 2023-01-17 Updated: 2024-04-30
Statement Date: March 10, 2023
CVE-2023-28863 | Not Affected |
---|---|
Vendor Statement: | |
not affected | |
CVE-2024-3411 | Not Affected |
Notified: 2023-12-14 Updated: 2024-04-30
Statement Date: March 07, 2024
CVE-2023-28863 | Not Affected |
---|---|
CVE-2024-3411 | Not Affected |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-01-17 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-08 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-12-14 Updated: 2024-04-30 CVE-2023-28863 | Unknown |
---|---|
CVE-2024-3411 | Unknown |
We have not received a statement from the vendor.
View all 29 vendors __View less vendors __
CVE IDs: | CVE-2023-28863 CVE-2024-3411 |
---|---|
API URL: | VINCE JSON |
Date Public: | 2024-04-30 Date First Published: |
nvd.nist.gov/vuln/detail/cve-2013-4786
nvd.nist.gov/vuln/detail/CVE-2023-28863
www.cisa.gov/news-events/alerts/2013/07/26/risks-using-intelligent-platform-management-interface-ipmi
www.intel.com/content/dam/www/public/us/en/documents/product-briefs/ipmi-second-gen-interface-spec-v2-rev1-1.pdf
www.kb.cert.org/vuls/id/843044
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
96.9%