Published: Sunday, July 22nd, 2018
Last Update: Sunday, July 22nd, 2018
A vulnerability exists on the Lights-Out Management/Intelligent Platform Management Interface (LOM/IPMI) port of A10 Thunder devices could allow remote attacker to mount an offline, brute-force, guessing attack of the configured password.
This vulnerability is due to support for the RMCP+ Authenticated Key-Exchange (RAKP) Protocol as part of the IPMI Version 2.0 capability provided on the LOM/IPMI port for out-of-band management of Thunder devices. A flaw or limitation in the of RAKP Protocol and the HMAC information in RAKP Message 2 responses exposes password hash information that could be leveraged in such an attack and potentially and gain unauthorized access to out-of-band management services of the device.
A10 Thunder platforms that do not have an LOM/IPMI port are beyond the scope of this advisory and not exposed to this vulnerability.
There is no patch for this vulnerability; it is an inherent problem with specifications for IPMI v2.0.
||IPMI: Leakage of password hashes via RAKP authentication 
||IPMI v2.0 Password Hash Disclosure 
Workarounds and Mitigations
Mitigations commonly employed in the industry for this issue include:
- Disable the IPMI/LOM port, if it is not essential or needed.
- Employ best practices for passwords in systems and networks.
- Use strong passwords to limit the successfulness of off-line, dictionary attacks.
- Use a separate or isolated management LAN/VLAN for IPMI/LOM port connectivity.
- Use Access Control Lists (ACLs) to limit or restrict access to the IPMI/LOM port.
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.
Synopsis: The remote host supports IPMI version 2.0.
The remote host supports IPMI v2.0. The Intelligent Platform Management Interface (IPMI) protocol is affected by an information disclosure vulnerability due to the support of RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication. A remote attacker can obtain password hash information for valid user accounts via the HMAC from a RAKP message 2 response from a BMC.
See also :http://fish2.com/ipmi/remote-pw-cracking.html
- Nessus detected that the remote server has IPMI v2.0 implemented.
- Remote unauthenticated users will be able to get password hashes for valid users.
The following table shares brief descriptions for the vulnerabilities addressed in this document.
© Copyright 2018 A10 Networks, Inc. All Rights Reserved.
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.