{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/163057#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nThe Intelligent Platform Management Interface (IPMI) implementations in multiple manufacturer's Baseboard Management Controller (BMC) software are vulnerable to IPMI session hijacking. An attacker with access to the BMC  network (with IPMI enabled) can abuse the lack of session integrity to hijack sessions and execute arbitrary IPMI commands on the BMC.\r\n\r\n### Description\r\n\r\nIPMI is a computer interface specification that provides a low-level management capability independent of hardware, firmware, or operating system.  IPMI is supported by many BMC manufacturers to allow for transparent access to hardware.  IPMI also supports pre-boot capabilities of a computer such as selection of boot media and boot environment. BMCs are recommended to be accessible via [dedicated internal networks](https://www.cisa.gov/news-events/alerts/2013/07/26/risks-using-intelligent-platform-management-interface-ipmi) to avoid risk of exposure. \r\n\r\nIPMI sessions between a client and a BMC follow the RAKP key exchange protocol, as specified in the [IPMI 2.0 specification](https://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/ipmi-second-gen-interface-spec-v2-rev1-1.pdf). This involves a session ID and a BMC random number to uniquely identify an IPMI session. The security researcher, who wishes to remain anonymous, has attempted to disclose two vulnerabilities related to BMC software and session management.  The first vulnerability identifies the use of weak randomization while interacting with a BMC using IPMI sessions. The researcher discovered that if both the IPMI session ID and BMC's random number are predictable or constant, an attacker can either hijack a session or replay a session without knowing the password that was set to protect the BMC. The second vulnerability from the reporter identifies certain cases where the BMC software fails to enforce previously negotiated IPMI 2.0 session parameters, allowing an attacker to either downgrade or disable session verification. Due to the reuse of software or libraries, these vulnerabilities may be present in multiple models of BMC. It is recommended that sufficient precaution is taken in protecting datacenters and cloud installations with multiple servers to protect IPMI session interaction using both the software updates and the recommendations to secure and isolate the networks where IPMI is accessible.\r\n\r\n### Impact\r\n\r\nAn unauthenticated attacker with access to the BMC network can predict IPMI session IDs and/or BMC random numbers to replay a previous session or hijack an IPMI session. This can allow the attacker to inject arbitrary commands into the BMC and be able to perform high-privileged functions (reboot, power-off, re-image of the machine) that are available to the BMC. \r\n\r\n### Solution\r\n\r\n#### Apply an update\r\n\r\nPlease consult the Vendor Information section for information provided by BMC vendors to address these vulnerabilities. \r\n\r\n#### Restrict access\r\n\r\nAs a general good security practice, only allow connections from trusted hosts and networks to the BMC network that exposes the IPMI enabled interface.\r\n\r\n### Acknowledgements\r\nThanks to the security researcher who would like to remain anonymous for researching and reporting these vulnerabilities.\r\n\r\nThis document was written by Ben Koo.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Fujitsu is aware of the vulnerabilities in IPMI and AMI MegaRAC SPx.\r\n\r\nAffected products are Fujitsu CCD (Client Computing Devices), as well as datacenter server and storage devices. \r\n\r\nThe Fujitsu PSIRT (Europe) released FJ-ISS-2024-041000 on https://security.ts.fujitsu.com (Security Notices) accordingly; see https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-FJ-ISS-2024-041000-Security-Notice.pdf\r\n\r\nIn case of questions regarding this Fujitsu PSIRT security notice, please contact the Fujitsu PSIRT (Europe) (Fujitsu-PSIRT@fujitsu.com).","title":"Vendor statment from Fujitsu Europe"},{"category":"other","text":"Intel is not affected","title":"Vendor statment from Intel"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/163057"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28863","summary":"https://nvd.nist.gov/vuln/detail/CVE-2023-28863"},{"url":"https://www.cisa.gov/news-events/alerts/2013/07/26/risks-using-intelligent-platform-management-interface-ipmi","summary":"https://www.cisa.gov/news-events/alerts/2013/07/26/risks-using-intelligent-platform-management-interface-ipmi"},{"url":"https://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/ipmi-second-gen-interface-spec-v2-rev1-1.pdf","summary":"https://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/ipmi-second-gen-interface-spec-v2-rev1-1.pdf"},{"url":"https://www.kb.cert.org/vuls/id/843044","summary":"https://www.kb.cert.org/vuls/id/843044"},{"url":"https://nvd.nist.gov/vuln/detail/cve-2013-4786","summary":"https://nvd.nist.gov/vuln/detail/cve-2013-4786"}],"title":"BMC software fails to validate IPMI session.","tracking":{"current_release_date":"2024-08-23T15:28:55+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#163057","initial_release_date":"2024-04-30 18:39:05.572929+00:00","revision_history":[{"date":"2024-08-23T15:28:55+00:00","number":"1.20240823152855.4","summary":"Released on 2024-08-23T15:28:55+00:00"}],"status":"final","version":"1.20240823152855.4"}},"vulnerabilities":[{"title":"Implementations of IPMI Authenticated sessions does not provide enough randomness to protect from session hijacking, allowing an attacker to use either predictable IPMI Session ID or weak BMC Random Number to bypass security controls using spoofed IPMI packets to manage BMC device.","notes":[{"category":"summary","text":"Implementations of IPMI Authenticated sessions does not provide enough randomness to protect from session hijacking, allowing an attacker to use either predictable IPMI Session ID or weak BMC Random Number to bypass security controls using spoofed IPMI packets to manage BMC device."}],"cve":"CVE-2024-3411","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#163057"}],"product_status":{"known_affected":["CSAFPID-261a7c26-39cd-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-2618fa9a-39cd-11f1-8422-122e2785dc9f","CSAFPID-26199676-39cd-11f1-8422-122e2785dc9f","CSAFPID-2619d8d4-39cd-11f1-8422-122e2785dc9f","CSAFPID-261a0fca-39cd-11f1-8422-122e2785dc9f","CSAFPID-261a4274-39cd-11f1-8422-122e2785dc9f","CSAFPID-261abede-39cd-11f1-8422-122e2785dc9f"]}},{"title":"Issue 2: BMCs fail to enforce negotiated integrity and confidentiality IPMI 2.","notes":[{"category":"summary","text":"Issue 2: BMCs fail to enforce negotiated integrity and confidentiality IPMI 2.0 session parameters\r\n\r\nThe affected BMCs fail to enforce the IPMI 2.0 Integrity and Confidentiality parameters that the BMC and console agreed on during session creation.\r\nFor example, in a session that was created with cipher suite 3 (RAKP-HMAC-SHA1, HMAC-SHA1-96, AES-CBC-128), one would expect that the BMC would refuse to process messages that lack an AuthCode and are unencrypted. Counter to that, the BMC treats these as valid messages and processes them happily."}],"cve":"CVE-2023-28863","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#163057"}],"product_status":{"known_affected":["CSAFPID-261b801c-39cd-11f1-8422-122e2785dc9f","CSAFPID-261bead4-39cd-11f1-8422-122e2785dc9f","CSAFPID-261c4312-39cd-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-261b2ffe-39cd-11f1-8422-122e2785dc9f","CSAFPID-261bb6a4-39cd-11f1-8422-122e2785dc9f","CSAFPID-261c139c-39cd-11f1-8422-122e2785dc9f","CSAFPID-261c99de-39cd-11f1-8422-122e2785dc9f","CSAFPID-261d41f4-39cd-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Cisco","product":{"name":"Cisco Products","product_id":"CSAFPID-2618fa9a-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"American Megatrends Incorporated (AMI)","product":{"name":"American Megatrends Incorporated (AMI) Products","product_id":"CSAFPID-26194c16-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Supermicro","product":{"name":"Supermicro Products","product_id":"CSAFPID-26199676-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-2619d8d4-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-261a0fca-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AMD","product":{"name":"AMD Products","product_id":"CSAFPID-261a4274-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fujitsu Europe","product":{"name":"Fujitsu Europe Products","product_id":"CSAFPID-261a7c26-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Toshiba Corporation","product":{"name":"Toshiba Corporation Products","product_id":"CSAFPID-261abede-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Supermicro","product":{"name":"Supermicro Products","product_id":"CSAFPID-261b2ffe-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"American Megatrends Incorporated (AMI)","product":{"name":"American Megatrends Incorporated (AMI) Products","product_id":"CSAFPID-261b801c-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-261bb6a4-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-261bead4-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AMD","product":{"name":"AMD Products","product_id":"CSAFPID-261c139c-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fujitsu Europe","product":{"name":"Fujitsu Europe Products","product_id":"CSAFPID-261c4312-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Toshiba Corporation","product":{"name":"Toshiba Corporation Products","product_id":"CSAFPID-261c99de-39cd-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cisco","product":{"name":"Cisco Products","product_id":"CSAFPID-261d41f4-39cd-11f1-8422-122e2785dc9f"}}]}}