Security
Headlines
HeadlinesLatestCVEs

Headline

Intel Data Center Manager 5.1 Local Privilege Escalation

The latest version (5.1) and all prior versions of Intel’s Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user “dcm” used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the “dcm” user.

Packet Storm
#vulnerability#web#git#intel#rce#log4j#acer#auth

RCE Security Advisory
https://www.rcesecurity.com

  1. ADVISORY INFORMATION
    =======================
    Product: Intel Data Center Manager
    Vendor URL: https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html
    Type: Incorrect Use of Privileged APIs [CWE-648]
    Date found: 2022-07-16
    Date published: 2022-12-07
    CVSSv3 Score: 7.4 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
    CVE: -

  2. CREDITS
    ==========
    This vulnerability was discovered and researched by Julien Ahrens from
    RCE Security.

  3. VERSIONS AFFECTED
    ====================
    Intel Data Center Manager 5.1 (latest) and below

  4. INTRODUCTION
    ===============
    Energy costs are the fastest rising expense for today’s data centers. Intel® Data
    Center Manager (Intel® DCM) provides real-time power and thermal consumption data,
    giving you the clarity you need to lower power usage, increase rack density, and
    prolong operation during outages.

(from the vendor’s homepage)

  1. VULNERABILITY DETAILS
    ========================
    The latest version (5.1) and all prior versions of Intel’s DCM are vulnerable to a
    local privileges escalation vulnerability using the application user “dcm” used to
    run the web application and the rest interface. An attacker who gained RCE using
    this dcm user (i.e., through Log4j) is then able to escalate their privileges to
    root by abusing a weak Sudo configuration for the “dcm” user:

dcm ALL=(ALL) NOPASSWD:/usr/local/bin/SDPTool
dcm ALL=(ALL) NOPASSWD:/usr/bin/cp
dcm ALL=(ALL) NOPASSWD:/usr/bin/chmod

The Intel Server Debug and Provisioning Tool (SDP Tool) must be installed for the
Data Center Manager to be vulnerable. Successful exploits can allow an authenticated
attacker to execute commands as root. In this way, the attacker can compromise the
victim system’s entire confidentiality, integrity, and availability, thereby allowing
to persist within the attached network.

  1. PROOF OF CONCEPT
    ===================
    Just one way of exploitation is by replacing the current sudoers configuration:

1.Create a new sudoers configuration file using the compromised “dcm” user in i.e. /tmp/
2.sudo chmod 440 /tmp/sudoers
3.sudo cp sudoers /etc/sudoers
4.sudo /bin/bash

  1. SOLUTION
    ===========
    None. Intel thinks that this is not a vulnerability and therefore does also not assign
    a CVE for it.

  2. REPORT TIMELINE
    ==================
    2022-07-16: Discovery of the vulnerability
    2022-07-16: Reported to vendor via their bug bounty program
    2022-07-18: Vendor response: Sent to “appropriate reviewers”
    2022-07-26: Vendor states that the vulnerability “depends on something that does not exist (eg; RCE).”
    2022-07-26: Sent a clarification that a compromise of the “dcm” account is indeed necessary, but there have been RCEs in the past (i.e. through Log4j)
    2022-09-22: Vendor has troubles to reproduce the bug and asks for another PoC
    2022-09-22: Sent a clarification about the PoC
    2022-09-22: Vendor states that the report “does not clearly demonstrate a vulnerability in DCM” and the report will be closed.
    2022-09-23: Provided the vendor with a PoC utilizing Log4shell (CVE-2021-44228) in a former version of DCM
    2022-10-10: Vendor asks whether the Log4shell bug is still reproducible in the latest version of DCM
    2022-10-10: Made clear that Log4shell is not the point about the report
    2022-10-11: Vendor states “We do not clearly see a a vulnerability demonstrated in DCM”
    2022-10-12: [Back and forth about the provided PoCs]
    2022-10-12: I’m giving up.
    2022-12-07: Public disclosure

  3. REFERENCES
    ==============
    https://github.com/MrTuxracer/advisories

Related news

How CVSS 4.0 changes (or doesn’t) the way we see vulnerability severity

While distilling risk down to a simple numerical score is helpful for many in the security space, it is also an imperfect system that can often leave out important context.

CVE-2023-46751: Ghostscript

An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.

CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems. “Nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized

CVE-2023-28864: Chef Infra Server Release Notes

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

3 Flaws, 1 War Dominated Cyber-Threat Landscape in 2022

Attackers continued to favor software exploits, phishing, and stolen credentials as initial-access methods last year, as Log4j and the Russia-Ukraine cyber conflict changed the threat landscape.

CVE-2022-36975

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15332.

Healthcare in the Crosshairs of North Korean Cyber Operations

CISA, FBI, and South Korean intelligence agencies warn that the North Korean government is sponsoring ransomware attacks to fund its cyber-espionage activities.

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

One Year After Log4Shell, Most Firms Are Still Exposed to Attack

Though there have been fewer than expected publicly reported attacks involving the vulnerability, nearly three-quarters of organizations remain exposed to it.

Iranian Hackers Compromised a U.S. Federal Agency’s Network Using Log4Shell Exploit

Iranian government-sponsored threat actors have been blamed for compromising a U.S. federal agency by taking advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server. The details, which were shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), come in response to incident response efforts undertaken by the authority from mid-June through mid-July 2022

Joint Advisory AA22-279A and Vulristics

Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]

Chinese APT's favorite vulnerabilities revealed

Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.

CVE-2022-24406: Full Disclosure: Open-Xchange Security Advisory 2022-07-21

OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to injection into internal Documentconverter API calls.

CVE-2022-29862: Security - OPC Foundation

An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.

CVE-2021-22057: VMSA-2021-0030

VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an authentication bypass vulnerability. A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2

Published on: 2021 Dec 11, updated 2022 Apr 6. SUMMARY SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of our enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution