Script ipmi-cipher-zero

Script types: portrule
Categories: vuln, safe
Download: https://svn.nmap.org/nmap/scripts/ipmi-cipher-zero.nse

Script Summary

IPMI 2.0 Cipher Zero Authentication Bypass Scanner. This module identifies IPMI 2.0 compatible systems that are vulnerable to an authentication bypass vulnerability through the use of cipher zero.

Script Arguments

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -sU --script ipmi-cipher-zero -p 623 <host>

Script Output

PORT      STATE         SERVICE REASON
623/udp open|filtered unknown no-response
| ipmi-cipher-zero:
|   VULNERABLE:
|   IPMI 2.0 RAKP Cipher Zero Authentication Bypass
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|
|       The issue is due to the vendor shipping their devices with the
|       cipher suite '0' (aka 'cipher zero') enabled. This allows a
|       remote attacker to authenticate to the IPMI interface using
|       an arbitrary password. The only information required is a valid
|       account, but most vendors ship with a default 'admin' account.
|       This would allow an attacker to have full control over the IPMI
|       functionality.
|
|     References:
|       http://fish2.com/ipmi/cipherzero.html
|_      https://www.us-cert.gov/ncas/alerts/TA13-207A

Requires

• ipmi
• nmap
• shortport
• stdnse
• string
• vulns

---

Author:

• Claudiu Perta <claudiu.perta@gmail.com>

License: Same as Nmap--See https://nmap.org/book/man-legal.html