THUNDER LOM/IPMI - CVE-2013-4786 Subscribe to Security Advisories

Sunday, July 22, 2018
Sunday, July 22, 2018
Summary 

A vulnerability exists on the Lights-Out Management/Intelligent Platform Management Interface (LOM/IPMI) port of A10 Thunder devices could allow remote attacker to mount an offline, brute-force, guessing attack of the configured password.

This vulnerability is due to support for the RMCP+ Authenticated Key-Exchange (RAKP) Protocol as part of the IPMI Version 2.0 capability provided on the LOM/IPMI port for out-of-band management of Thunder devices. A flaw or limitation in the of RAKP Protocol and the HMAC information in RAKP Message 2 responses exposes password hash information that could be leveraged in such an attack and potentially and gain unauthorized access to out-of-band management services of the device.

A10 Thunder platforms that do not have an LOM/IPMI port are beyond the scope of this advisory and not exposed to this vulnerability.

There is no patch for this vulnerability; it is an inherent problem with specifications for IPMI v2.0.

Item # Vulnerability ID Score Source Score Summary
1 CVE-2013-4786 CVSS 3.0 7.5 High IPMI: Leakage of password hashes via RAKP authentication [1]
2 80101 Nessus 7.8 High IPMI v2.0 Password Hash Disclosure [2]

Affected Releases

Affected A10 Thunder platforms with LOM/IPMI ports that may be exploited by this vulnerability are broken down into two groups with the indicated platform models.

Thunder Platform Group Platforms (a)

Thunder - Group A

  • TH1030S
  • TH3030S, TH3040, TH3230, TH3430
  • TH5330

Thunder - Group L

  • TH4430, TH4435, TH4440
  • TH5430, TH5430-11, TH5430S, TH5435, TH5435S, TH5440, TH5630, TH5840, TH5840-11, TH5845
  • TH6430, TH6430S, TH6435, TH6435S, TH6440, TH6630, TH6635
  • TH7440, TH7440-11, TH7445
  • TH14045-010, TH14045-011

(a) Platforms indicated in the lists above are as of the date of publication for this advisory.
For future A10 Thunder platforms, consult their specifications for presence and support of LOM/IPMI to determine potential exposure to this vulnerability.

 

The table below indicates versions of Thunder LOM/IPMI firmware exposed to this vulnerability and versions that address it.

Versions Affected Versions Resolved or Unaffected

Group A – LOM/IPMI FW 3.x.x

None planned (a)

Group L – LOM/IPMI FW r1.8x

None planned (a)

(a) If versions of IPMI become accepted and available in the industry that correct this vulnerability, A10 will consider them for this matter in the future.

Workarounds and Mitigations 

Mitigations commonly employed in the industry for this issue include:

  • Disable the IPMI/LOM port, if it is not essential or needed.
  • Employ best practices for passwords in systems and networks.
  • Use strong passwords to limit the successfulness of off-line, dictionary attacks.
  • Use a separate or isolated management LAN/VLAN for IPMI/LOM port connectivity.
  • Use Access Control Lists (ACLs) to limit or restrict access to the IPMI/LOM port.
Software Updates 

Software updates that address these vulnerabilities are or will be published at the following URL:
https://www.a10networks.com/support/axseries/software-downloads

Vulnerability Details

The following table shares brief descriptions of the vulnerabilities addressed in this document.

Vulnerability IDVulnerability Description
CVE-2013-4786

The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.

80101

Synopsis: The remote host supports IPMI version 2.0.

Description:
The remote host supports IPMI v2.0. The Intelligent Platform Management Interface (IPMI) protocol is affected by an information disclosure vulnerability due to the support of RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication. A remote attacker can obtain password hash information for valid user accounts via the HMAC from a RAKP message 2 response from a BMC.

See also :http://fish2.com/ipmi/remote-pw-cracking.html

Ports: udp/623

  • Nessus detected that the remote server has IPMI v2.0 implemented.
  • Remote unauthenticated users will be able to get password hashes for valid users.
Acknowledgements 

None.

Modification History 
RevisionDateDescription
1.0
July 22, 2018

Initial Publication