ID CVE-2013-4786
Summary The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.
References
Vulnerable Configurations
  • Oracle Fujitsu M10 Firmware 2290
    cpe:2.3:o:oracle:fujitsu_m10_firmware:2290
  • Intel Intelligent Platform Management Interface Specification (IPMI) 2.0
    cpe:2.3:a:intel:intelligent_platform_management_interface:2.0
CVSS
Base: 7.8 (as of 25-04-2016 - 14:03)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE NONE NONE
exploit-db via4
description Intelligent Platform Management Interface Information Disclosure Vulnerability. CVE-2013-4786. Remote exploits for multiple platform
id EDB-ID:38633
last seen 2016-02-04
modified 2013-07-02
published 2013-07-02
reporter Dan Farmer
source https://www.exploit-db.com/download/38633/
title Intelligent Platform Management Interface Information Disclosure Vulnerability
metasploit via4
description This module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.
id MSF:AUXILIARY/SCANNER/IPMI/IPMI_DUMPHASHES
last seen 2019-03-24
modified 2018-09-15
published 2013-06-23
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
title IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
nessus via4
NASL family General
NASL id IPMI_PASSHASH_DISCLOSURE.NASL
description The remote host supports IPMI v2.0. The Intelligent Platform Management Interface (IPMI) protocol is affected by an information disclosure vulnerability due to the support of RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication. A remote attacker can obtain password hash information for valid user accounts via the HMAC from a RAKP message 2 response from a BMC.
last seen 2019-02-21
modified 2018-07-12
plugin id 80101
published 2014-12-18
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=80101
title IPMI v2.0 Password Hash Disclosure
refmap via4
confirm
hp HPSBHF02981
misc
Last major update 22-08-2016 - 22:06
Published 08-07-2013 - 18:55
Last modified 09-05-2018 - 21:29
Back to Top