Lenovo Security Advisory: LEN-10617
Potential Impact: Access to systems through IPMI if default settings are not changed
Severity: High
**Scope of Impact:******Industry-Wide
**CVE Identifiers:**CVE-2013-4037, CVE-2013-4031
Summary Description:
Various risks with the industry-standard Intelligent Platform Management Interface (IPMI) have been identified and documented in the IT security community. Because the Lenovo System x Integrated Management Model (IMM), IMM2 and ThinkServer System Manager (TSM) provide IPMI access by default, a subset of these identified risks are applicable to those servers.
The Intelligent Platform Management Interface (IPMI) is an industry-standard protocol supported by Lenovo and more than 200 computer system vendors that consists of a set of computer interface specifications that can be used by system administrators for out-of-band management and monitoring of host computer systems independent of their CPU, firmware and operating system.
CVE ID: CVE-2013-4037
Description:
The RAKP protocol, which is specified by the IPMI standard for authentication, has flaws. Although the IMMs and TSM do not allow the use of null passwords, a hacker could reverse engineer the RAKP transactions to determine a password. The authentication process for IPMI requires the management controller to send a hash of the requested userβs password to the client, prior to the client authenticating. This process is a key part of the IPMI specification. The password hash can be broken using an offline brute force or dictionary attack.
CVSS Base Score: 4.3
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE ID: CVE-2013-4031
Description:
The IMM, IMM2 and ThinkServer TSMs are preconfigured with one IPMI user account which has the same default login name and password on all affected systems. If a malicious user gains access to the IPMI interface using this preconfigured account, he or she would be able to power off or on, or reboot the host server, with the ability to create or change user accounts and possibly preventing legitimate users from accessing the IMMs.
Additionally, if a user fails to change the default user name and password on each of the systems he or she has deployed, the user would have the same login information for each of the IMMs on those systems.
CVSS Base Score: 10
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Mitigation Strategy for Customers (what you should do to protect yourself):
IPMItool channel setaccess 1 #user_slot# privilege=15
Replace #user_slot# in the above command with the actual slot number (1 through 12) and repeat for each IMM/IMM2/TSM user that has been configured. The example above details the command when it is run directly on the server itself. If the IPMItool command is run remotely over the network, or if a different utility is used, the command will be different. Consult the documentation for the utility that you are using to determine the correct command syntax. Disallowing IPMI network access will remove the ability to use the weakness present in the IPMI RAKP protocol to discover user account credentials.