JVN#38752718
Multiple NEC Products vulnerable to authentication bypass
Overview
Multiple NEC Products contain authentication bypass vulnerability in RMCP connection using IPMI over LAN.
Products Affected
The following products which Baseboard Management Controller (BMC) firmware Rev1.09 and earlier is applied, are affected.
- Express5800/T110j
- Express5800/T110j-S
- Express5800/T110j (2nd-Gen)
- Express5800/T110j-S (2nd-Gen)
- iStorage NS100Ti
- Express5800/GT110j
Description
In Intelligent Platform Management Interface (IPMI) v1.5, Remote Management Control Protocol (RMCP) to access BMC through LAN is prescribed.
Multiple NEC products which conduct RMCP access using IPMI over LAN contain an issue in implementations of the BMC firmware and when accessing BMC through RMCP using LAN, unauthorized session may be established.
Impact
A logged-in remote attacker may obtain/modify BMC setting information, obtain monitoring information or reboot/shut down the product.
Solution
Do not use IPMI over LAN at products
It is recommended to stop using IPMI over LAN in the products.
IPMI 2.0 contains a known vulnerability (CVE-2013-4786) where the password hashes may be obtained. Therefore, disable IPMI over LAN in the products to avoid the effects of this vulnerability.
According to the developer, IPMI over LAN is enabled by default in the affected products, but would not function if LAN cable is not connected to BNC LAN port.
Apply a Workaround
If the product's IPMI over LAN must be used, apply following workaround to mitigate the effects of this vulnerability.
- Apply BMC firmware Rev1.10 or later, which this vulnerability is addressed, and use the product only in a safe intranet protected by a firewall and do not connect the BMC to the Internet.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
NEC Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Corporation coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-5633 |
| JVN iPedia |
JVNDB-2021-000002 |
Update History
- 2021/01/07
- NEC Corporation update status
- 2021/01/07
- Information under the section "Products Affected" was updated.
- 2021/01/12
- NEC Corporation update status