cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

NBU Appliance Vulnerability Scans....

Go to solution
DPeaco
Moderator
Moderator
   VIP   

‎09-09-2014 09:12 AM

I'm getting vulnerability tickets from our threat team on our netbackup appliances.

IPMI 2.0 RAKP RMCP+ Authentication HMAC Password Hash Exposure

and

IPMI 2.0 Cipher Type Zero Authentication Bypass Vulnerability

What is my best path of resolution to these issues? Please advise.

Appliance is a 5230 running 2.6x

Thanks,
Dennis
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
mnolan
Level 6
Employee Accredited Certified

‎09-09-2014 11:06 AM

I don't believe there has been much done for IPMI standard in regards to the RAKP hash exposure.

This is across the community and is not just specific to Symantec appliances.

From what I've read, the standard states that it has to send a salted hash to the client.

I would recommend, however, diabling other accounts from IPMI other than sysadmin and then to use a strong password that is unlikely to be brute forced or in a rainbow table.

ipmitool user disable 2
ipmitool user disable 4
ipmitool user disable 5

The sure fire way, of course, is to disable IPMI (Either per user or across the board). Second best way is to have the network segregated to only allow access from specific locations.

---------

Per http://www.symantec.com/docs/TECH218518 , cipher zero does not actually affect our systems.

The current setting for 0 is callback and it simply does not respond.

However, you can also do the following to mark it as unused and leave only 3, 8, and 12 available (As they should be as specified in our security guide. http://www.symantec.com/docs/DOC7350)

ipmitool lan set 3 cipher_privs XXXaXXXXaXXXaXX

 

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
mnolan
Level 6
Employee Accredited Certified

‎09-09-2014 11:06 AM

I don't believe there has been much done for IPMI standard in regards to the RAKP hash exposure.

This is across the community and is not just specific to Symantec appliances.

From what I've read, the standard states that it has to send a salted hash to the client.

I would recommend, however, diabling other accounts from IPMI other than sysadmin and then to use a strong password that is unlikely to be brute forced or in a rainbow table.

ipmitool user disable 2
ipmitool user disable 4
ipmitool user disable 5

The sure fire way, of course, is to disable IPMI (Either per user or across the board). Second best way is to have the network segregated to only allow access from specific locations.

---------

Per http://www.symantec.com/docs/TECH218518 , cipher zero does not actually affect our systems.

The current setting for 0 is callback and it simply does not respond.

However, you can also do the following to mark it as unused and leave only 3, 8, and 12 available (As they should be as specified in our security guide. http://www.symantec.com/docs/DOC7350)

ipmitool lan set 3 cipher_privs XXXaXXXXaXXXaXX

 

0 Kudos