what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Intel Data Center Manager 4.1.1.45749 Authentication Bypass / Spoofing

Intel Data Center Manager 4.1.1.45749 Authentication Bypass / Spoofing
Posted Nov 30, 2022
Authored by Julien Ahrens | Site rcesecurity.com

Intel Data Center Manager versions 4.1.1.45749 and below suffer from an authentication bypass vulnerability via spoofing.

tags | advisory, spoof, bypass
advisories | CVE-2022-33942
SHA-256 | c994d19000e263ed1c33f5352902d080b70eb355d42bec09d1cf2d70a522e3e4

Intel Data Center Manager 4.1.1.45749 Authentication Bypass / Spoofing

Change Mirror Download
RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product: Intel Data Center Manager
Vendor URL: https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html
Type: Authentication Bypass by Spoofing [CWE-290]
Date found: 2022-06-01
Date published: 2022-11-23
CVSSv3 Score: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE: CVE-2022-33942


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
Intel Data Center Manager 4.1.1.45749 and below


4. INTRODUCTION
===============
Energy costs are the fastest rising expense for today’s data centers. Intel® Data
Center Manager (Intel® DCM) provides real-time power and thermal consumption data,
giving you the clarity you need to lower power usage, increase rack density, and
prolong operation during outages.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The application allows configuring authentication via Active Directory groups. While
this by itself isn't an issue, it becomes one as soon as an Active Directory group
with a well-known SID (such as "S-1-5-32-544" or "S-1-5-32-546") is configured to
allow authentication to DCM. This is because Intel's DCM only relies on the group's
SID to allow authentication but doesn't verify the authenticating domain, which the
user can give during the authentication process against the DCM Console and its REST
interface.

Since the DCM will send all Kerberos and LDAP (authentication) requests against the
given domain, it is trivially easy to spoof the authentication responses by using an
arbitrary Kerberos and LDAP server and replying with the SID of one of the configured
Active Directory groups.

This allows an attacker to bypass the authentication schema by using any domain
with any user/password combination without actually being part of any Active Directory
groups.


6. PROOF OF CONCEPT
===================
See the referenced blog post for a full exploit.


7. SOLUTION
===========
Update to Intel DCM 5.0 or later


8. REPORT TIMELINE
==================
2022-06-01: Discovery of the vulnerability
2022-06-28: Sent notification to Intel via their PSIRT
2022-06-28: Vendor response: Sent to appropriate reviewers.
2022-06-29: Vendor acknowledges the vulnerability and asks for coordinated disclosure on Nov. 8, 2022
2022-06-30: Rejected the disclosure date, due to my own policy, which makes it: August 13, 2022
2022-07-08: After a vendor call, I've submitted the issue through Intel's bug bounty program
2022-xx-xx: Vendor releases version 5.0 without any notification which fixes this vulnerability
2022-11-08: Vendor (responsible CNA) assigns CVE-2022-33942
2022-11-08: Vendor publishes security advisory INTEL-SA-00713
2022-11-23: Public disclosure


9. REFERENCES
=============
https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-by-spoofing-kerberos-and-ldap-responses-cve-2022-33942
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00713.html
https://github.com/MrTuxracer/advisories
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close