Headline
Intel Data Center Manager 5.1 Local Privilege Escalation
The latest version (5.1) and all prior versions of Intel’s Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user “dcm” used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the “dcm” user.
RCE Security Advisory
https://www.rcesecurity.com
ADVISORY INFORMATION
=======================
Product: Intel Data Center Manager
Vendor URL: https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html
Type: Incorrect Use of Privileged APIs [CWE-648]
Date found: 2022-07-16
Date published: 2022-12-07
CVSSv3 Score: 7.4 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE: -CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.VERSIONS AFFECTED
====================
Intel Data Center Manager 5.1 (latest) and belowINTRODUCTION
===============
Energy costs are the fastest rising expense for today’s data centers. Intel® Data
Center Manager (Intel® DCM) provides real-time power and thermal consumption data,
giving you the clarity you need to lower power usage, increase rack density, and
prolong operation during outages.
(from the vendor’s homepage)
- VULNERABILITY DETAILS
========================
The latest version (5.1) and all prior versions of Intel’s DCM are vulnerable to a
local privileges escalation vulnerability using the application user “dcm” used to
run the web application and the rest interface. An attacker who gained RCE using
this dcm user (i.e., through Log4j) is then able to escalate their privileges to
root by abusing a weak Sudo configuration for the “dcm” user:
dcm ALL=(ALL) NOPASSWD:/usr/local/bin/SDPTool
dcm ALL=(ALL) NOPASSWD:/usr/bin/cp
dcm ALL=(ALL) NOPASSWD:/usr/bin/chmod
The Intel Server Debug and Provisioning Tool (SDP Tool) must be installed for the
Data Center Manager to be vulnerable. Successful exploits can allow an authenticated
attacker to execute commands as root. In this way, the attacker can compromise the
victim system’s entire confidentiality, integrity, and availability, thereby allowing
to persist within the attached network.
- PROOF OF CONCEPT
===================
Just one way of exploitation is by replacing the current sudoers configuration:
1.Create a new sudoers configuration file using the compromised “dcm” user in i.e. /tmp/
2.sudo chmod 440 /tmp/sudoers
3.sudo cp sudoers /etc/sudoers
4.sudo /bin/bash
SOLUTION
===========
None. Intel thinks that this is not a vulnerability and therefore does also not assign
a CVE for it.REPORT TIMELINE
==================
2022-07-16: Discovery of the vulnerability
2022-07-16: Reported to vendor via their bug bounty program
2022-07-18: Vendor response: Sent to “appropriate reviewers”
2022-07-26: Vendor states that the vulnerability “depends on something that does not exist (eg; RCE).”
2022-07-26: Sent a clarification that a compromise of the “dcm” account is indeed necessary, but there have been RCEs in the past (i.e. through Log4j)
2022-09-22: Vendor has troubles to reproduce the bug and asks for another PoC
2022-09-22: Sent a clarification about the PoC
2022-09-22: Vendor states that the report “does not clearly demonstrate a vulnerability in DCM” and the report will be closed.
2022-09-23: Provided the vendor with a PoC utilizing Log4shell (CVE-2021-44228) in a former version of DCM
2022-10-10: Vendor asks whether the Log4shell bug is still reproducible in the latest version of DCM
2022-10-10: Made clear that Log4shell is not the point about the report
2022-10-11: Vendor states “We do not clearly see a a vulnerability demonstrated in DCM”
2022-10-12: [Back and forth about the provided PoCs]
2022-10-12: I’m giving up.
2022-12-07: Public disclosureREFERENCES
==============
https://github.com/MrTuxracer/advisories
Related news
While distilling risk down to a simple numerical score is helpful for many in the security space, it is also an imperfect system that can often leave out important context.
An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems. “Nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
Attackers continued to favor software exploits, phishing, and stolen credentials as initial-access methods last year, as Log4j and the Russia-Ukraine cyber conflict changed the threat landscape.
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15332.
CISA, FBI, and South Korean intelligence agencies warn that the North Korean government is sponsoring ransomware attacks to fund its cyber-espionage activities.
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Though there have been fewer than expected publicly reported attacks involving the vulnerability, nearly three-quarters of organizations remain exposed to it.
Iranian government-sponsored threat actors have been blamed for compromising a U.S. federal agency by taking advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server. The details, which were shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), come in response to incident response efforts undertaken by the authority from mid-June through mid-July 2022
Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]
Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.
Open source utility exposes payloads without running vulnerable Java code
OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to injection into internal Documentconverter API calls.
An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.
Calibre-Web before 0.6.18 allows user table SQL Injection.
VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an authentication bypass vulnerability. A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.
Published on: 2021 Dec 11, updated 2022 Apr 6. SUMMARY SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of our enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability.
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.