<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Please check to see if you have machine 128.111.28.109. See the email below – this machine needs a password on the administrator account. Please let me know if this is you so we know it gets fixed.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Reminder: everyone please be sure that your lab machines (or any laptop you bring in to UCSB) has all the latest system updates.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> Matthew<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> COE IT Helpdesk [mailto:help@engineering.ucsb.edu] <br><b>Sent:</b> Friday, August 9, 2013 10:11 AM<br><b>To:</b> holl@cs.ucsb.edu; Matthew Turk<br><b>Cc:</b> help@engineering.ucsb.edu<br><b>Subject:</b> Fwd: [COE #54013] [UCSB-OIT #512899] Vulnerabilities Found on 128.111.28.109<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Dear Matthew,<br>Please note that we have received the following incident report for 128.111.28.109, ilab-109.cs. Please take the recommended action and let us know when this has been taken care of.<br>Thanks,<br>-Carmen<o:p></o:p></p><div><p class=MsoNormal><br><br>-------- Original Message -------- <o:p></o:p></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0><tr><td nowrap valign=top style='padding:0in 0in 0in 0in'><p class=MsoNormal align=right style='text-align:right'><b>Subject: <o:p></o:p></b></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>[COE #54013] [UCSB-OIT #512899] Vulnerabilities Found on 128.111.28.109<o:p></o:p></p></td></tr><tr><td nowrap valign=top style='padding:0in 0in 0in 0in'><p class=MsoNormal align=right style='text-align:right'><b>Date: <o:p></o:p></b></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal>Fri, 9 Aug 2013 09:36:20 -0700<o:p></o:p></p></td></tr><tr><td nowrap valign=top style='padding:0in 0in 0in 0in'><p class=MsoNormal align=right style='text-align:right'><b>From: <o:p></o:p></b></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="mailto:vsc@oit.ucsb.edu">vsc@oit.ucsb.edu</a> via CoE Support <a href="mailto:help@engineering.ucsb.edu"><help@engineering.ucsb.edu></a><o:p></o:p></p></td></tr><tr><td nowrap valign=top style='padding:0in 0in 0in 0in'><p class=MsoNormal align=right style='text-align:right'><b>Reply-To: <o:p></o:p></b></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><a href="mailto:help@engineering.ucsb.edu">help@engineering.ucsb.edu</a><o:p></o:p></p></td></tr></table><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><pre>Fri Aug 09 09:36:20 2013: Request 54013 was acted upon.<o:p></o:p></pre><pre>Transaction: Ticket created by <a href="mailto:vsc@oit.ucsb.edu">vsc@oit.ucsb.edu</a><o:p></o:p></pre><pre> Queue: General<o:p></o:p></pre><pre> Subject: [UCSB-OIT #512899] Vulnerabilities Found on 128.111.28.109 <o:p></o:p></pre><pre> Owner: Nobody<o:p></o:p></pre><pre> Requestors: <a href="mailto:vsc@oit.ucsb.edu">vsc@oit.ucsb.edu</a><o:p></o:p></pre><pre> Status: new<o:p></o:p></pre><pre> Ticket <URL: <a href="https://rt.engr.ucsb.edu/Ticket/Display.html?id=54013">https://rt.engr.ucsb.edu/Ticket/Display.html?id=54013</a> ><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>Greetings:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Our vulnerability scanner has found a potentially vulnerable host on your network. You should consider taking the recommended actions mentioned in this report in order to reduce the chances of this host being abused by an attacker. If you believe any part of this report to be incorrect, please let us know so that we can work to improve our reporting accuracy.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Here is information about the vulnerabilities that were found:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>IP : 128.111.28.109<o:p></o:p></pre><pre>Name : ilab-109.cs.ucsb.edu<o:p></o:p></pre><pre>Scan Time : Wed Jul 31 01:14:45 2013<o:p></o:p></pre><pre>Service : asf-rmcp (623/udp)<o:p></o:p></pre><pre>Plugin ID : 68931<o:p></o:p></pre><pre>Synopsis :<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>The remote IPMI service is affected by an authentication bypass.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Description :<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>The IPMI service listening on the remote system has cipher suite zero enabled, which permits logon as an administrator without requiring a password. Once logged in, a remote attacker may perform a variety of actions, including powering off the remote system.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>See also :<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><a href="http://fish2.com/ipmi/cipherzero.html">http://fish2.com/ipmi/cipherzero.html</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Solution :<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Disable cipher suite zero or limit access to the IPMI service.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>CVSS Base Score : 10.0<o:p></o:p></pre><pre>(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>Plugin output :<o:p></o:p></pre><pre>Nessus was able to login using the following credentials<o:p></o:p></pre><pre>by logging in with cipher suite zero :<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> Username : ADMIN<o:p></o:p></pre><pre> Password : (none)<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Nessus was able to use the above authentication bypass to<o:p></o:p></pre><pre>enumerate the following users exist on the target :<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> (0x01)<o:p></o:p></pre><pre> ADMIN (0x02)<o:p></o:p></pre><pre> (0x03)<o:p></o:p></pre><pre> (0x04)<o:p></o:p></pre><pre> (0x05)<o:p></o:p></pre><pre> (0x06)<o:p></o:p></pre><pre> (0x07)<o:p></o:p></pre><pre> (0x08)<o:p></o:p></pre><pre> (0x09)<o:p></o:p></pre><pre> (0x0a)<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>CVE : CVE-2013-4782,CVE-2013-4783,CVE-2013-4784<o:p></o:p></pre><pre>BID : 61001<o:p></o:p></pre><pre>Other references : OSVDB:93038,OSVDB:93039,OSVDB:93040<o:p></o:p></pre><pre>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>-- <o:p></o:p></pre><pre>E. Todd Atkins<o:p></o:p></pre><pre>Office of Information Technology<o:p></o:p></pre><pre>University of California, Santa Barbara<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>********************************************************************** <o:p></o:p></pre><pre>The NOC's list of network contacts is used to determine who should<o:p></o:p></pre><pre>receive email such as this. Please direct any requests for changes <o:p></o:p></pre><pre>to this list of network contacts to <a href="mailto:noc@ucsb.edu">noc@ucsb.edu</a>.<o:p></o:p></pre><pre>********************************************************************** <o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></body></html>