JVN#38752718: Multiple NEC Products vulnerable to authentication bypass

In Intelligent Platform Management Interface (IPMI) v1.5, Remote Management Control Protocol (RMCP) to access BMC through LAN is prescribed.

Multiple NEC products which conduct RMCP access using IPMI over LAN contain an issue in implementations of the BMC firmware and when accessing BMC through RMCP using LAN, unauthorized session may be established.

Impact

A logged-in remote attacker may obtain/modify BMC setting information, obtain monitoring information or reboot/shut down the product.

Solution

Do not use IPMI over LAN at products
It is recommended to stop using IPMI over LAN in the products.
IPMI 2.0 contains a known vulnerability (CVE-2013-4786) where the password hashes may be obtained. Therefore, disable IPMI over LAN in the products to avoid the effects of this vulnerability.
According to the developer, IPMI over LAN is enabled by default in the affected products, but would not function if LAN cable is not connected to BNC LAN port.

Apply a Workaround
If the product’s IPMI over LAN must be used, apply following workaround to mitigate the effects of this vulnerability.

• Apply BMC firmware Rev1.10 or later, which this vulnerability is addressed, and use the product only in a safe intranet protected by a firewall and do not connect the BMC to the Internet.

Products Affected

The following products which Baseboard Management Controller (BMC) firmware Rev1.09 and earlier is applied, are affected.

• Express5800/T110j
• Express5800/T110j-S
• Express5800/T110j (2nd-Gen)
• Express5800/T110j-S (2nd-Gen)
• iStorage NS100Ti
• Express5800/GT110j