[4eyes] FW: [COE #54013] [UCSB-OIT #512899] Vulnerabilities Found on 128.111.28.109

Fri Aug 9 10:27:32 PDT 2013

Please check to see if you have machine 128.111.28.109. See the email below – this machine needs a password on the administrator account. Please let me know if this is you so we know it gets fixed.

Reminder: everyone please be sure that your lab machines (or any laptop you bring in to UCSB) has all the latest system updates.

Thanks,

                Matthew

From: COE IT Helpdesk [mailto:help at engineering.ucsb.edu] 
Sent: Friday, August 9, 2013 10:11 AM
To: holl at cs.ucsb.edu; Matthew Turk
Cc: help at engineering.ucsb.edu
Subject: Fwd: [COE #54013] [UCSB-OIT #512899] Vulnerabilities Found on 128.111.28.109

Dear Matthew,
Please note that we have received the following incident report for 128.111.28.109,  ilab-109.cs. Please take the recommended action and let us know when this has been taken care of.
Thanks,
-Carmen

-------- Original Message -------- 

Subject: 

[COE #54013] [UCSB-OIT #512899] Vulnerabilities Found on 128.111.28.109

Date: 

Fri, 9 Aug 2013 09:36:20 -0700

From: 

vsc at oit.ucsb.edu via CoE Support  <mailto:help at engineering.ucsb.edu> <help at engineering.ucsb.edu>

Reply-To: 

help at engineering.ucsb.edu

Fri Aug 09 09:36:20 2013: Request 54013 was acted upon.
Transaction: Ticket created by vsc at oit.ucsb.edu
       Queue: General
     Subject: [UCSB-OIT #512899] Vulnerabilities Found on 128.111.28.109 
       Owner: Nobody
  Requestors: vsc at oit.ucsb.edu
      Status: new
 Ticket <URL: https://rt.engr.ucsb.edu/Ticket/Display.html?id=54013 >

Greetings:

Our vulnerability scanner has found a potentially vulnerable host on your network.  You should consider taking the recommended actions mentioned in this report in order to reduce the chances of this host being abused by an attacker.  If you believe any part of this report to be incorrect, please let us know so that we can work to improve our reporting accuracy.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Here is information about the vulnerabilities that were found:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

IP : 128.111.28.109
Name : ilab-109.cs.ucsb.edu
Scan Time : Wed Jul 31 01:14:45 2013
Service : asf-rmcp (623/udp)
Plugin ID : 68931
Synopsis :

The remote IPMI service is affected by an authentication bypass.

Description :

The IPMI service listening on the remote system has cipher suite zero enabled, which permits logon as an administrator without requiring a password.  Once logged in, a remote attacker may perform a variety of actions, including powering off the remote system.

See also :

http://fish2.com/ipmi/cipherzero.html

Solution :

Disable cipher suite zero or limit access to the IPMI service.

CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin output :
Nessus was able to login using the following credentials
by logging in with cipher suite zero :

  Username : ADMIN
  Password : (none)

Nessus was able to use the above authentication bypass to
enumerate the following users exist on the target :

   (0x01)
  ADMIN (0x02)
   (0x03)
   (0x04)
   (0x05)
   (0x06)
   (0x07)
   (0x08)
   (0x09)
   (0x0a)

CVE : CVE-2013-4782,CVE-2013-4783,CVE-2013-4784
BID : 61001
Other references : OSVDB:93038,OSVDB:93039,OSVDB:93040
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-- 
E. Todd Atkins
Office of Information Technology
University of California, Santa Barbara

********************************************************************** 
The NOC's list of network contacts is used to determine who should
receive email such as this.  Please direct any requests for changes 
to this list of network contacts to noc at ucsb.edu.
********************************************************************** 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cs.ucsb.edu/pipermail/ilab-users/attachments/20130809/cafbdb2a/attachment.html>