Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:712660
HistoryJul 10, 2014 - 12:00 a.m.

Raritian PX power distribution software is vulnerable to the cipher zero attack.

2014-07-1000:00:00
www.kb.cert.org
24

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.006

Percentile

77.9%

JSON

Overview

Raritan PX power distribution software version 01.05.08 and previous running on a model DPXR20A-16 device allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password.

Description

CWE-287: Improper Authentication- CVE-2014-2955

Raritan PX power distribution software version 01.05.08 and previous running on a model DPXR20A-16 device allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. Other product models and software versions may also be affected.

Impact

A remote unauthenticated attacker may be able to login and administer the device with full permissions of the compromised account.

Solution

Apply an Update
Raritan has provided a limited availability release, version 1.5.11. Raritan advises users to contact their sales or technical support for more details on how to obtain the release.

Restrict Access

Appropriate firewall rules and VLAN segmentation should be implemented so the management interface is not accessible from the general network.

Vendor Information

712660

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Raritan Inc Affected

Notified: May 19, 2014 Updated: July 10, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9 E:H/RL:TF/RC:C
Environmental 7.0 CDP:LM/TD:M/CR:H/IR:H/AR:H

References

Acknowledgements

Thanks to Joerg Kost for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2014-2955
Date Public: 2014-07-10 Date First Published:

Related

cvelist 1
prion 1
cve 1
nvd 1
openvas 1
cvelist
cvelist
CVE-2014-2955
2014-07-14 21:00:00
prion
prion
Authentication flaw
2014-07-14 21:55:00
cve
cve
CVE-2014-2955
2014-07-14 21:55:05
nvd
nvd
CVE-2014-2955
2014-07-14 21:55:05
openvas
openvas
IPMI Cipher Suite 0 (Cipher Zero) Authentication Bypass Vulnerability (IPMI Protocol)
2013-11-27 00:00:00

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.006

Percentile

77.9%

JSON
Related for VU:712660
cvelist1prion1cve1nvd1openvas1