Security
Headlines
HeadlinesLatestCVEs

Headline

Intel Data Center Manager 4.1.1.45749 Authentication Bypass / Spoofing

Intel Data Center Manager versions 4.1.1.45749 and below suffer from an authentication bypass vulnerability via spoofing.

Packet Storm
#vulnerability#git#intel#ldap#acer#auth

RCE Security Advisory
https://www.rcesecurity.com

  1. ADVISORY INFORMATION
    =======================
    Product: Intel Data Center Manager
    Vendor URL: https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html
    Type: Authentication Bypass by Spoofing [CWE-290]
    Date found: 2022-06-01
    Date published: 2022-11-23
    CVSSv3 Score: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
    CVE: CVE-2022-33942

  2. CREDITS
    ==========
    This vulnerability was discovered and researched by Julien Ahrens from
    RCE Security.

  3. VERSIONS AFFECTED
    ====================
    Intel Data Center Manager 4.1.1.45749 and below

  4. INTRODUCTION
    ===============
    Energy costs are the fastest rising expense for today’s data centers. Intel® Data
    Center Manager (Intel® DCM) provides real-time power and thermal consumption data,
    giving you the clarity you need to lower power usage, increase rack density, and
    prolong operation during outages.

(from the vendor’s homepage)

  1. VULNERABILITY DETAILS
    ========================
    The application allows configuring authentication via Active Directory groups. While
    this by itself isn’t an issue, it becomes one as soon as an Active Directory group
    with a well-known SID (such as “S-1-5-32-544” or “S-1-5-32-546”) is configured to
    allow authentication to DCM. This is because Intel’s DCM only relies on the group’s
    SID to allow authentication but doesn’t verify the authenticating domain, which the
    user can give during the authentication process against the DCM Console and its REST
    interface.

Since the DCM will send all Kerberos and LDAP (authentication) requests against the
given domain, it is trivially easy to spoof the authentication responses by using an
arbitrary Kerberos and LDAP server and replying with the SID of one of the configured
Active Directory groups.

This allows an attacker to bypass the authentication schema by using any domain
with any user/password combination without actually being part of any Active Directory
groups.

  1. PROOF OF CONCEPT
    ===================
    See the referenced blog post for a full exploit.

  2. SOLUTION
    ===========
    Update to Intel DCM 5.0 or later

  3. REPORT TIMELINE
    ==================
    2022-06-01: Discovery of the vulnerability
    2022-06-28: Sent notification to Intel via their PSIRT
    2022-06-28: Vendor response: Sent to appropriate reviewers.
    2022-06-29: Vendor acknowledges the vulnerability and asks for coordinated disclosure on Nov. 8, 2022
    2022-06-30: Rejected the disclosure date, due to my own policy, which makes it: August 13, 2022
    2022-07-08: After a vendor call, I’ve submitted the issue through Intel’s bug bounty program
    2022-xx-xx: Vendor releases version 5.0 without any notification which fixes this vulnerability
    2022-11-08: Vendor (responsible CNA) assigns CVE-2022-33942
    2022-11-08: Vendor publishes security advisory INTEL-SA-00713
    2022-11-23: Public disclosure

  4. REFERENCES
    =============
    https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-by-spoofing-kerberos-and-ldap-responses-cve-2022-33942
    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00713.html
    https://github.com/MrTuxracer/advisories

Related news

Intel disputes seriousness of Data Centre Manager authentication flaw

Security researcher scores $10K bug bounty

CVE-2022-33942: INTEL-SA-00713

Protection mechanism failure in the Intel(R) DCM software before version 5.0 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution