var-202211-0866
Vulnerability from variot
Protection mechanism failure in the Intel(R) DCM software before version 5.0 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. RCE Security Advisory https://www.rcesecurity.com
1. ADVISORY INFORMATION
Product: Intel Data Center Manager Vendor URL: https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html Type: Authentication Bypass by Spoofing [CWE-290] Date found: 2022-06-01 Date published: 2022-11-23 CVSSv3 Score: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVE: CVE-2022-33942
2. CREDITS
This vulnerability was discovered and researched by Julien Ahrens from RCE Security.
3. VERSIONS AFFECTED
Intel Data Center Manager 4.1.1.45749 and below
4. INTRODUCTION
Energy costs are the fastest rising expense for today’s data centers. Intel® Data Center Manager (Intel® DCM) provides real-time power and thermal consumption data, giving you the clarity you need to lower power usage, increase rack density, and prolong operation during outages.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
The application allows configuring authentication via Active Directory groups. While this by itself isn't an issue, it becomes one as soon as an Active Directory group with a well-known SID (such as "S-1-5-32-544" or "S-1-5-32-546") is configured to allow authentication to DCM. This is because Intel's DCM only relies on the group's SID to allow authentication but doesn't verify the authenticating domain, which the user can give during the authentication process against the DCM Console and its REST interface.
Since the DCM will send all Kerberos and LDAP (authentication) requests against the given domain, it is trivially easy to spoof the authentication responses by using an arbitrary Kerberos and LDAP server and replying with the SID of one of the configured Active Directory groups.
This allows an attacker to bypass the authentication schema by using any domain with any user/password combination without actually being part of any Active Directory groups.
6. PROOF OF CONCEPT
See the referenced blog post for a full exploit.
7. SOLUTION
Update to Intel DCM 5.0 or later
8. REPORT TIMELINE
2022-06-01: Discovery of the vulnerability 2022-06-28: Sent notification to Intel via their PSIRT 2022-06-28: Vendor response: Sent to appropriate reviewers. 2022-06-29: Vendor acknowledges the vulnerability and asks for coordinated disclosure on Nov. 8, 2022 2022-06-30: Rejected the disclosure date, due to my own policy, which makes it: August 13, 2022 2022-07-08: After a vendor call, I've submitted the issue through Intel's bug bounty program 2022-xx-xx: Vendor releases version 5.0 without any notification which fixes this vulnerability 2022-11-08: Vendor (responsible CNA) assigns CVE-2022-33942 2022-11-08: Vendor publishes security advisory INTEL-SA-00713 2022-11-23: Public disclosure
9. REFERENCES
https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-by-spoofing-kerberos-and-ldap-responses-cve-2022-33942 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00713.html https://github.com/MrTuxracer/advisories
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202211-0866",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "data center manager",
"scope": "lt",
"trust": 1.0,
"vendor": "intel",
"version": "5.0"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-33942"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:intel:data_center_manager:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-33942"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Julien Ahrens",
"sources": [
{
"db": "PACKETSTORM",
"id": "170065"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2595"
}
],
"trust": 0.7
},
"cve": "CVE-2022-33942",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"author": "secure@intel.com",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.1,
"impactScore": 6.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-33942",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "secure@intel.com",
"id": "CVE-2022-33942",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202211-2595",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-33942"
},
{
"db": "NVD",
"id": "CVE-2022-33942"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2595"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Protection mechanism failure in the Intel(R) DCM software before version 5.0 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. RCE Security Advisory\nhttps://www.rcesecurity.com\n\n\n1. ADVISORY INFORMATION\n=======================\nProduct: Intel Data Center Manager\nVendor URL: https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html\nType: Authentication Bypass by Spoofing [CWE-290]\nDate found: 2022-06-01\nDate published: 2022-11-23\nCVSSv3 Score: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\nCVE: CVE-2022-33942\n\n\n2. CREDITS\n==========\nThis vulnerability was discovered and researched by Julien Ahrens from\nRCE Security. \n\n\n3. VERSIONS AFFECTED\n====================\nIntel Data Center Manager 4.1.1.45749 and below\n\n\n4. INTRODUCTION\n===============\nEnergy costs are the fastest rising expense for today\u2019s data centers. Intel\u00ae Data\nCenter Manager (Intel\u00ae DCM) provides real-time power and thermal consumption data,\ngiving you the clarity you need to lower power usage, increase rack density, and\nprolong operation during outages. \n\n(from the vendor\u0027s homepage)\n\n\n5. VULNERABILITY DETAILS\n========================\nThe application allows configuring authentication via Active Directory groups. While\nthis by itself isn\u0027t an issue, it becomes one as soon as an Active Directory group\nwith a well-known SID (such as \"S-1-5-32-544\" or \"S-1-5-32-546\") is configured to\nallow authentication to DCM. This is because Intel\u0027s DCM only relies on the group\u0027s\nSID to allow authentication but doesn\u0027t verify the authenticating domain, which the\nuser can give during the authentication process against the DCM Console and its REST\ninterface. \n\nSince the DCM will send all Kerberos and LDAP (authentication) requests against the\ngiven domain, it is trivially easy to spoof the authentication responses by using an\narbitrary Kerberos and LDAP server and replying with the SID of one of the configured\nActive Directory groups. \n\nThis allows an attacker to bypass the authentication schema by using any domain\nwith any user/password combination without actually being part of any Active Directory\ngroups. \n\n\n6. PROOF OF CONCEPT\n===================\nSee the referenced blog post for a full exploit. \n\n\n7. SOLUTION\n===========\nUpdate to Intel DCM 5.0 or later\n\n\n8. REPORT TIMELINE\n==================\n2022-06-01: Discovery of the vulnerability\n2022-06-28: Sent notification to Intel via their PSIRT\n2022-06-28: Vendor response: Sent to appropriate reviewers. \n2022-06-29: Vendor acknowledges the vulnerability and asks for coordinated disclosure on Nov. 8, 2022\n2022-06-30: Rejected the disclosure date, due to my own policy, which makes it: August 13, 2022\n2022-07-08: After a vendor call, I\u0027ve submitted the issue through Intel\u0027s bug bounty program\n2022-xx-xx: Vendor releases version 5.0 without any notification which fixes this vulnerability\n2022-11-08: Vendor (responsible CNA) assigns CVE-2022-33942\n2022-11-08: Vendor publishes security advisory INTEL-SA-00713\n2022-11-23: Public disclosure\n\n\n9. REFERENCES\n=============\nhttps://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-by-spoofing-kerberos-and-ldap-responses-cve-2022-33942\nhttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00713.html\nhttps://github.com/MrTuxracer/advisories\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-33942"
},
{
"db": "VULHUB",
"id": "VHN-426130"
},
{
"db": "PACKETSTORM",
"id": "170065"
}
],
"trust": 1.08
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-426130",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-426130"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-33942",
"trust": 1.8
},
{
"db": "PACKETSTORM",
"id": "170065",
"trust": 0.8
},
{
"db": "AUSCERT",
"id": "ESB-2022.5843.2",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5843",
"trust": 0.6
},
{
"db": "CXSECURITY",
"id": "WLB-2022120005",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2595",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-426130",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-426130"
},
{
"db": "PACKETSTORM",
"id": "170065"
},
{
"db": "NVD",
"id": "CVE-2022-33942"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2595"
}
]
},
"id": "VAR-202211-0866",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-426130"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:48:24.329000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Intel Data Center Manager Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=214643"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202211-2595"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-33942"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00713.html"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/issue/wlb-2022120005"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/170065/intel-data-center-manager-4.1.1.45749-authentication-bypass-spoofing.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5843"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-33942/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5843.2"
},
{
"trust": 0.1,
"url": "https://github.com/mrtuxracer/advisories"
},
{
"trust": 0.1,
"url": "https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html"
},
{
"trust": 0.1,
"url": "https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-by-spoofing-kerberos-and-ldap-responses-cve-2022-33942"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-33942"
},
{
"trust": 0.1,
"url": "https://www.rcesecurity.com"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-426130"
},
{
"db": "PACKETSTORM",
"id": "170065"
},
{
"db": "NVD",
"id": "CVE-2022-33942"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2595"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-426130"
},
{
"db": "PACKETSTORM",
"id": "170065"
},
{
"db": "NVD",
"id": "CVE-2022-33942"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2595"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-11-11T00:00:00",
"db": "VULHUB",
"id": "VHN-426130"
},
{
"date": "2022-11-30T20:48:27",
"db": "PACKETSTORM",
"id": "170065"
},
{
"date": "2022-11-11T16:15:15.097000",
"db": "NVD",
"id": "CVE-2022-33942"
},
{
"date": "2022-11-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202211-2595"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-11-17T00:00:00",
"db": "VULHUB",
"id": "VHN-426130"
},
{
"date": "2022-11-17T15:01:31.323000",
"db": "NVD",
"id": "CVE-2022-33942"
},
{
"date": "2023-03-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202211-2595"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote or local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202211-2595"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Intel Data Center Manager Security hole",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202211-2595"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202211-2595"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.