Published:2021/01/04  Last Updated:2021/01/12

JVN#38752718
Multiple NEC Products vulnerable to authentication bypass

Overview

Multiple NEC Products contain authentication bypass vulnerability in RMCP connection using IPMI over LAN.

Products Affected

The following products which Baseboard Management Controller (BMC) firmware Rev1.09 and earlier is applied, are affected.

  • Express5800/T110j
  • Express5800/T110j-S
  • Express5800/T110j (2nd-Gen)
  • Express5800/T110j-S (2nd-Gen)
  • iStorage NS100Ti
  • Express5800/GT110j

Description

In Intelligent Platform Management Interface (IPMI) v1.5, Remote Management Control Protocol (RMCP) to access BMC through LAN is prescribed.

Multiple NEC products which conduct RMCP access using IPMI over LAN contain an issue in implementations of the BMC firmware and when accessing BMC through RMCP using LAN, unauthorized session may be established.

Impact

A logged-in remote attacker may obtain/modify BMC setting information, obtain monitoring information or reboot/shut down the product.

Solution

Do not use IPMI over LAN at products
It is recommended to stop using IPMI over LAN in the products.
IPMI 2.0 contains a known vulnerability (CVE-2013-4786) where the password hashes may be obtained. Therefore, disable IPMI over LAN in the products to avoid the effects of this vulnerability.
According to the developer, IPMI over LAN is enabled by default in the affected products, but would not function if LAN cable is not connected to BNC LAN port.

Apply a Workaround
If the product's IPMI over LAN must be used, apply following workaround to mitigate the effects of this vulnerability.

  • Apply BMC firmware Rev1.10 or later, which this vulnerability is addressed, and use the product only in a safe intranet protected by a firewall and do not connect the BMC to the Internet.

Vendor Status

Vendor Status Last Update Vendor Notes
NEC Corporation Vulnerable 2021/01/12

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score: 5.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

NEC Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Corporation coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5633
JVN iPedia JVNDB-2021-000002

Update History

2021/01/07
NEC Corporation update status
2021/01/07
Information under the section "Products Affected" was updated.
2021/01/12
NEC Corporation update status