Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasCopyright (C) 2013 Greenbone AGOPENVAS:1361412562310103840
HistoryNov 27, 2013 - 12:00 a.m.

IPMI Cipher Zero Authentication Bypass Vulnerability (IPMI Protocol)

2013-11-2700:00:00
Copyright (C) 2013 Greenbone AG
plugins.openvas.org
58

7.6 High

AI Score

Confidence

Low

JSON

Intelligent Platform Management Interface (IPMI) services are
prone to an authentication bypass vulnerability.

# SPDX-FileCopyrightText: 2013 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.103840");
  script_version("2024-06-14T05:05:48+0000");
  script_tag(name:"last_modification", value:"2024-06-14 05:05:48 +0000 (Fri, 14 Jun 2024)");
  script_tag(name:"creation_date", value:"2013-11-27 15:03:17 +0100 (Wed, 27 Nov 2013)");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");

  script_tag(name:"qod_type", value:"remote_vul");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("IPMI Cipher Zero Authentication Bypass Vulnerability (IPMI Protocol)");

  script_category(ACT_ATTACK);

  script_family("General");
  script_copyright("Copyright (C) 2013 Greenbone AG");
  script_dependencies("gb_ipmi_detect.nasl");
  script_require_udp_ports("Services/udp/ipmi", 623);
  script_mandatory_keys("ipmi/version/2.0");

  script_tag(name:"summary", value:"Intelligent Platform Management Interface (IPMI) services are
  prone to an authentication bypass vulnerability.");

  script_tag(name:"vuldetect", value:"Sends a request with a zero cipher and checks if this request
  was accepted.");

  script_tag(name:"insight", value:"The remote IPMI service accepted a session open request for
  cipher zero.");

  script_tag(name:"impact", value:"Attackers can exploit this issue to gain administrative access to
  the device and disclose sensitive information.");

  script_tag(name:"solution", value:"Ask the Vendor for an update.");

  script_xref(name:"URL", value:"https://web.archive.org/web/20230909085739/http://fish2.com/ipmi/cipherzero.html");

  exit(0);
}

include("port_service_func.inc");
include("host_details.inc");

port = service_get_port(default:623, ipproto:"udp", proto:"ipmi");

if(!soc = open_sock_udp(port))
  exit(0);

req = raw_string(0x06, 0x00, 0xff, 0x07, 0x06, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00,
                 0x00, 0x00, 0x00, 0x00, 0x71, 0x1e, 0x24, 0x73, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
                 0x01, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00);

send(socket:soc, data:req);
recv = recv(socket:soc, length:1024);
close(soc);

if(hexstr(recv) !~ "0600ff07" || strlen(recv) < 16 || hexstr(recv[5]) != "11")
  exit(0);

len = ord(raw_string(recv[14], recv[15]));
if(len > strlen(recv))
  exit(0);

data = substr(recv, strlen(recv) - len);
if(data[1] && ord(data[1]) == 0) {

  # nb:
  # - Store the reference from this one to gb_ipmi_detect.nasl to show a cross-reference within the
  #   reports
  # - We don't want to use get_app_* functions as we're only interested in the cross-reference here
  register_host_detail(name:"detected_by", value:"1.3.6.1.4.1.25623.1.0.103835"); # gb_ipmi_detect.nasl
  register_host_detail(name:"detected_at", value:port + "/udp");

  report = "The remote IPMI service accepted a session open request for cipher zero.";
  security_message(port:port, proto:"udp", data:report);
  exit(0);
}

exit(99);

7.6 High

AI Score

Confidence

Low

JSON