[Japanese]

JVNDB-2021-000002

Multiple NEC Products vulnerable to authentication bypass

Overview

In Intelligent Platform Management Interface (IPMI) v1.5, Remote Management Control Protocol (RMCP) to access BMC through LAN is prescribed.

Multiple NEC products which conduct RMCP access using IPMI over LAN contain an issue in implementations of the BMC firmware and when accessing BMC through RMCP using LAN, unauthorized session may be established.

NEC Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Corporation coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

The following products which Baseboard Management Controller (BMC) firmware Rev1.09 and earlier is applied, are affected.

NEC Corporation
  • Express5800 /T110j
  • Express5800 /T110j-S
  • Express5800 /T110j (2nd-Gen)
  • Express5800 /T110j-S (2nd-Gen)
  • Express5800 /GT110j
  • iStorage NS100Ti

Impact

A logged-in remote attacker may obtain/modify BMC setting information, obtain monitoring information or reboot/shut down the product.
Solution

[Do not use IPMI over LAN at products]
It is recommended to stop using IPMI over LAN in the products.
IPMI 2.0 contains a known vulnerability (CVE-2013-4786) where the password hashes may be obtained. Therefore, disable IPMI over LAN in the products to avoid the effects of this vulnerability.
According to the developer, IPMI over LAN is enabled by default in the affected products, but would not function if LAN cable is not connected to BNC LAN port.

[Apply a Workaround]
If the product's IPMI over LAN must be used, apply following workaround to mitigate the effects of this vulnerability.
*Apply BMC firmware Rev1.10 or later, which this vulnerability is addressed, and use the product only in a safe intranet protected by a firewall and do not connect the BMC to the Internet.
Vendor Information

NEC Corporation
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5633
References

  1. JVN : JVN#38752718
  2. National Vulnerability Database (NVD) : CVE-2020-5633
Revision History

  • [2021/01/04]
      Web page was published
  • [2021/01/08]
      Affected Products : Content was added