RCE Security Advisory
\nhttps:\/\/www.rcesecurity.com<\/p>\n
1. ADVISORY INFORMATION
\n=======================
\nProduct: Intel Data Center Manager
\nVendor URL: https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/tools\/data-center-manager-console\/overview.html
\nType: Incorrect Use of Privileged APIs [CWE-648]\nDate found: 2022-07-16
\nDate published: 2022-12-07
\nCVSSv3 Score: 7.4 (CVSS:3.1\/AV:L\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H)
\nCVE: –<\/p>\n
2. CREDITS
\n==========
\nThis vulnerability was discovered and researched by Julien Ahrens from
\nRCE Security.<\/p>\n
3. VERSIONS AFFECTED
\n====================
\nIntel Data Center Manager 5.1 (latest) and below<\/p>\n
4. INTRODUCTION
\n===============
\nEnergy costs are the fastest rising expense for today\u2019s data centers. Intel\u00ae Data
\nCenter Manager (Intel\u00ae DCM) provides real-time power and thermal consumption data,
\ngiving you the clarity you need to lower power usage, increase rack density, and
\nprolong operation during outages.<\/p>\n
(from the vendor’s homepage)<\/p>\n
5. VULNERABILITY DETAILS
\n========================
\nThe latest version (5.1) and all prior versions of Intel’s DCM are vulnerable to a
\nlocal privileges escalation vulnerability using the application user “dcm” used to
\nrun the web application and the rest interface. An attacker who gained RCE using
\nthis dcm user (i.e., through Log4j) is then able to escalate their privileges to
\nroot by abusing a weak Sudo configuration for the “dcm” user:<\/p>\n
dcm ALL=(ALL) NOPASSWD:\/usr\/local\/bin\/SDPTool
\ndcm ALL=(ALL) NOPASSWD:\/usr\/bin\/cp
\ndcm ALL=(ALL) NOPASSWD:\/usr\/bin\/chmod<\/p>\n
The Intel Server Debug and Provisioning Tool (SDP Tool) must be installed for the
\nData Center Manager to be vulnerable. Successful exploits can allow an authenticated
\nattacker to execute commands as root. In this way, the attacker can compromise the
\nvictim system’s entire confidentiality, integrity, and availability, thereby allowing
\nto persist within the attached network.<\/p>\n
6. PROOF OF CONCEPT
\n===================
\nJust one way of exploitation is by replacing the current sudoers configuration:<\/p>\n
1.Create a new sudoers configuration file using the compromised “dcm” user in i.e. \/tmp\/
\n2.sudo chmod 440 \/tmp\/sudoers
\n3.sudo cp sudoers \/etc\/sudoers
\n4.sudo \/bin\/bash<\/p>\n
7. SOLUTION
\n===========
\nNone. Intel thinks that this is not a vulnerability and therefore does also not assign
\na CVE for it.<\/p>\n
8. REPORT TIMELINE
\n==================
\n2022-07-16: Discovery of the vulnerability
\n2022-07-16: Reported to vendor via their bug bounty program
\n2022-07-18: Vendor response: Sent to “appropriate reviewers”
\n2022-07-26: Vendor states that the vulnerability “depends on something that does not exist (eg; RCE).”
\n2022-07-26: Sent a clarification that a compromise of the “dcm” account is indeed necessary, but there have been RCEs in the past (i.e. through Log4j)
\n2022-09-22: Vendor has troubles to reproduce the bug and asks for another PoC
\n2022-09-22: Sent a clarification about the PoC
\n2022-09-22: Vendor states that the report “does not clearly demonstrate a vulnerability in DCM” and the report will be closed.
\n2022-09-23: Provided the vendor with a PoC utilizing Log4shell (CVE-2021-44228) in a former version of DCM
\n2022-10-10: Vendor asks whether the Log4shell bug is still reproducible in the latest version of DCM
\n2022-10-10: Made clear that Log4shell is not the point about the report
\n2022-10-11: Vendor states “We do not clearly see a a vulnerability demonstrated in DCM”
\n2022-10-12: [Back and forth about the provided PoCs]\n2022-10-12: I’m giving up.
\n2022-12-07: Public disclosure<\/p>\n
9. REFERENCES
\n==============
\nhttps:\/\/github.com\/MrTuxracer\/advisories<\/p>\n","protected":false},"excerpt":{"rendered":"
RCE Security Advisory https:\/\/www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Intel Data Center Manager Vendor URL: https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/tools\/data-center-manager-console\/overview.html Type: Incorrect Use of Privileged APIs [CWE-648] Date found: 2022-07-16 Date published: 2022-12-07 CVSSv3 Score: 7.4 (CVSS:3.1\/AV:L\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H) CVE: – 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Intel …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-34567","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34567","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=34567"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34567\/revisions"}],"predecessor-version":[{"id":34622,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34567\/revisions\/34622"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=34567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=34567"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=34567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}