CVE-2013-4786
published 2013-07-08CVE-2013-4786: The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes…
PriorityP186high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
81.80%
99.6th percentile
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| intel | intelligent_platform_management_interface | — | — |
| oracle | fujitsu_m10_firmware | <= 2290 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect RAKP hash harvesting by monitoring for RMCP+ open session requests (IPMI 2.0) on UDP 623 from unexpected or external sources — the attacker only needs to reach the BMC to extract the HMAC-SHA1 hash without valid credentials. ↗
- →Alert on RAKP Message 2 responses leaving the BMC network segment; the HMAC in the response is sufficient for offline cracking (hashcat type 7300 or hmac_sha1_crack.rb). ↗
- →Flag IPMI traffic where the RMCP+ status response contains 'unauthorized name' or 'insufficient resources for session', indicating active RAKP-based user enumeration. ↗
- →Monitor for use of default IPMI usernames (admin, ADMIN, USERID, root, Administrator) in RAKP authentication attempts against BMC devices. ↗
- →Detect Metasploit's ipmi_dumphashes scanner module activity by correlating rapid sequential RMCP+ session open requests to UDP/623 from a single source IP against multiple BMC targets. ↗
- ·This is a protocol-level flaw in the IPMI 2.0 specification itself, not a software bug — BMC firmware must be updated or IPMI access restricted at the network level, as software packages (OpenIPMI, freeipmi) are not the source of the vulnerable RAKP Message 2. ↗
- ·Red Hat Enterprise Linux 5, 6, and 7 versions of OpenIPMI and freeipmi are confirmed not affected, so detection focus should be on BMC hardware firmware and network-level exposure rather than OS-level packages. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5qfx-g363-pvpg: The IPMI 2
ghsa_unreviewed·2022-05-13
CVE-2013-4786 [HIGH] GHSA-5qfx-g363-pvpg: The IPMI 2
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.
VulnCheck
IPMI 2.0 RMCP+ Authenticated Key-Exchange Protocol (RAKP) Security Bypass
vulncheck·2013·CVSS 7.5
CVE-2013-4786 [HIGH] IPMI 2.0 RMCP+ Authenticated Key-Exchange Protocol (RAKP) Security Bypass
IPMI 2.0 RMCP+ Authenticated Key-Exchange Protocol (RAKP) Security Bypass
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.
Affected: Oracle fujitsu_m10_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://info.securin.io/hubfs/Securin%20Ransomware%20Report%202023.pdf
Exploit PoC: https://vulncheck.com/xdb/b1aca2030bfd; https://vulncheck.com/xdb/f4aa7ebdaa8c
Red Hat
freeipmi: Leakage of password hashes via RAKP authentication
vendor_redhat·2013-07-08·CVSS 7.5
CVE-2013-4786 [HIGH] freeipmi: Leakage of password hashes via RAKP authentication
freeipmi: Leakage of password hashes via RAKP authentication
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.
Statement: This issue did not affect the versions of OpenIPMI or freeipmi as shipped with Red Hat Enterprise Linux 5, 6, and 7.
Package: freeipmi (Red Hat Enterprise Linux 5) - Not affected
Package: OpenIPMI (Red Hat Enterprise Linux 5) - Not affected
Package: freeipmi (Red Hat Enterprise Linux 6) - Not affected
Package: OpenIPMI (Red Hat Enterprise Linux 6) - Not affected
Package: freeipmi (Red Hat Enterprise Linux 7) - Not affected
Package: OpenIPMI (Red Ha
No detection rules found.
Exploit-DB
Intelligent Platform Management Interface - Information Disclosure
exploitdb·2013-07-02
CVE-2013-4786 Intelligent Platform Management Interface - Information Disclosure
Intelligent Platform Management Interface - Information Disclosure
---
source: https://www.securityfocus.com/bid/61076/info
Intelligent Platform Management Interface is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may aid password guessing attacks.
Intelligent Platform Management Interface 2.0 is vulnerable; other versions may also be affected.
#!/usr/bin/env perl
#
# Usage: rak-the-ripper [options] target
#
# dan/[email protected] - 6/19/2013
#
# Special thanks to Jarrod B Johnson (), whose
# implemention of RAKP for the xCAT project
(http://xcat.sourceforge.net/)
# was instrumental to furthering my understanding of the issue.
#
#
# Remote IPMi password cracker; uses the RAKP 2 protocol to guess
passwords
# fro
Metasploit
IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
metasploit
IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
This module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.
Bugzilla
CVE-2013-4786 OpenIPMI, freeipmi: Leakage of password hashes via RAKP authentication
bugzilla·2016-04-13·CVSS 7.5
CVE-2013-4786 [HIGH] CVE-2013-4786 OpenIPMI, freeipmi: Leakage of password hashes via RAKP authentication
CVE-2013-4786 OpenIPMI, freeipmi: Leakage of password hashes via RAKP authentication
It was found that RAKP protocol as used in IPMI 2.0 specification allows remote attackers to obtain HMAC IPMI password hash that can be cracked offline.
External References:
http://fish2.com/ipmi/remote-pw-cracking.html
https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi
Discussion:
Created OpenIPMI tracking bugs for this issue:
Affects: fedora-all [bug 1326639]
---
Created freeipmi tracking bugs for this issue:
Affects: fedora-all [bug 1326640]
---
I'm not sure what are we supposed to do here? This is an issue in hardware. It is (the firmware in the) BMC controller that sends the RAKP 2 message. We do not send the message in any of the specified
Bugzilla
CVE-2013-4786 OpenIPMI: freeipmi: Leakage of password hashes via RAKP authentication [fedora-all]
bugzilla·2016-04-13·CVSS 7.5
CVE-2013-4786 [HIGH] CVE-2013-4786 OpenIPMI: freeipmi: Leakage of password hashes via RAKP authentication [fedora-all]
CVE-2013-4786 OpenIPMI: freeipmi: Leakage of password hashes via RAKP authentication [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple su
Bugzilla
CVE-2013-4786 OpenIPMI: freeipmi: Leakage of password hashes via RAKP authentication [fedora-all]
bugzilla·2016-04-13·CVSS 7.5
CVE-2013-4786 [HIGH] CVE-2013-4786 OpenIPMI: freeipmi: Leakage of password hashes via RAKP authentication [fedora-all]
CVE-2013-4786 OpenIPMI: freeipmi: Leakage of password hashes via RAKP authentication [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple su
http://fish2.com/ipmi/remote-pw-cracking.htmlhttp://marc.info/?l=bugtraq&m=139653661621384&w=2http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlhttps://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmihttps://nvidia.custhelp.com/app/answers/detail/a_id/5010https://security.netapp.com/advisory/ntap-20190919-0005/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04197764http://fish2.com/ipmi/remote-pw-cracking.htmlhttp://marc.info/?l=bugtraq&m=139653661621384&w=2http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlhttps://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmihttps://nvidia.custhelp.com/app/answers/detail/a_id/5010https://security.netapp.com/advisory/ntap-20190919-0005/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04197764
2013-07-08
Published
Exploited in the wild