'[FD] =?utf-8?q?=5BCVE-2022-33942=5D_Intel_Data_Center_Manager_Con?= =?utf-8?b?c29sZSA8PSA0LjEuMS40NT'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] =?utf-8?q?=5BCVE-2022-33942=5D_Intel_Data_Center_Manager_Con?= =?utf-8?b?c29sZSA8PSA0LjEuMS40NT
From:       "Julien Ahrens (RCE Security)" <info () rcesecurity ! com>
Date:       2022-11-23 16:27:29
Message-ID: 4A465021-9865-4A8A-9609-3E84458DBADE () rcesecurity ! com
[Download RAW message or body]

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product:        Intel Data Center Manager
Vendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html

Type:           Authentication Bypass by Spoofing [CWE-290]
Date found:     2022-06-01
Date published: 2022-11-23
CVSSv3 Score:   10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE:            CVE-2022-33942

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

3. VERSIONS AFFECTED
====================
Intel Data Center Manager 4.1.1.45749 and below

4. INTRODUCTION
===============
Energy costs are the fastest rising expense for today's data centers. Intel Ž Data
Center Manager (Intel Ž DCM) provides real-time power and thermal consumption data,
giving you the clarity you need to lower power usage, increase rack density, and
prolong operation during outages.

(from the vendor's homepage)

5. VULNERABILITY DETAILS
========================
The application allows configuring authentication via Active Directory groups. While
this by itself isn't an issue, it becomes one as soon as an Active Directory group
with a well-known SID (such as "S-1-5-32-544" or "S-1-5-32-546") is configured to
allow authentication to DCM. This is because Intel's DCM only relies on the group's
SID to allow authentication but doesn't verify the authenticating domain, which the
user can give during the authentication process against the DCM Console and its REST
interface.

Since the DCM will send all Kerberos and LDAP (authentication) requests against the
given domain, it is trivially easy to spoof the authentication responses by using an
arbitrary Kerberos and LDAP server and replying with the SID of one of the configured
Active Directory groups.

This allows an attacker to bypass the authentication schema by using any domain
with any user/password combination without actually being part of any Active Directory
groups.

6. PROOF OF CONCEPT
===================
See the referenced blog post for a full exploit.

7. SOLUTION
===========
Update to Intel DCM 5.0 or later

8. REPORT TIMELINE
==================
2022-06-01: Discovery of the vulnerability
2022-06-28: Sent notification to Intel via their PSIRT
2022-06-28: Vendor response: Sent to appropriate reviewers.
2022-06-29: Vendor acknowledges the vulnerability and asks for coordinated disclosure on Nov. \
                8, 2022
2022-06-30: Rejected the disclosure date, due to my own policy, which makes it: August 13, 2022
2022-07-08: After a vendor call, I've submitted the issue through Intel's bug bounty program
2022-xx-xx: Vendor releases version 5.0 without any notification which fixes this vulnerability
2022-11-08: Vendor (responsible CNA) assigns CVE-2022-33942
2022-11-08: Vendor publishes security advisory INTEL-SA-00713
2022-11-23: Public disclosure

9. REFERENCES
=============
https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-by-spoofing-kerberos-and-ldap-responses-cve-2022-33942
 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00713.html
https://github.com/MrTuxracer/advisories

["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWVym3nC1+ioyX1+TzjvwrNEH1JsFAmN+SecACgkQzjvwrNEH
1JscCBAAz3pWMGqRFj+0oaPB05Ab9O9UXXvYcUANSOyOe9/evDDr42BoV+9q/Sth
4Ror3vi/fTS33VpPIw2Eb9m18wgi6eOzaMNkH3Hk4o/glZuz2Veadu2Cx8VEjyZo
N9/nbcEGQj3IQBDABvKJtyDDuM2Hp39RJA1XV5HlO1TKrmEgaqbBmjohVHzCyOch
jFY5o8mJMJr/5POE0ypuZnbFir7m2HxtUkP0rMGhISUncE8wUoB6IK/O+/OLkztB
wE/k5oYW4PDHWRvEZUgkxkpOBlK92cjREc1V8WtoV8seREtER0lmrqOpCnWySRNm
kpF4AlMhAgCEQx2tHE4pwA7BAVuwV82X/Kzn6xyNg4J197QNv8BMRw6lFKL7mIjN
zMLh0bS9BYWghkNGabWL+r7QKwpF/7C/R+kDtPbwTAS35LaElFDTzzy/XSCWxUgB
zjPYbQhRvV3HRy7c+iRL7aXKErKWeqkmNH2wpEP9Cqw9/qkl2AzrlY+LJ4w4oVHQ
i7lnvruvHuGq+8Z7TUMzb57jaw4Y9xXt93NTtzvkWK2rjE6LwAqKBrpfW8722+pM
2D+DL4MhvP7scKNFeaGyy1cyJh5Z6/PnxI+DlF8ie3VbFHLBlB58SlqTjMWv7Hhk
T7nR/jly55OHXJfM1VwJKSJw8nkrZqTIRr/0qTsXZnSyL8fAkBs=
=LKVf
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
--===============1278256873559774683==--

[prev in list] [next in list] [prev in thread] [next in thread] 