A security researcher has released details of how they were able to hack Intel’s Data Center Manager (DCM).
More specifically, Julien Ahrens of RCE Security succeeded in bypassing Intel DCM’s authentication by spoofing Kerberos and LDAP (Lightweight Directory Access Protocol) responses, creating an exploit chain that they claim yielded remote code execution (RCE) in the process.
Intel acknowledges that Ahrens uncovered a vulnerability – tracked as CVE-2022-33942 and assessed with a severity score of 8.8 – but disputes its seriousness. According to Intel, the issue represents only a privilege elevation flaw rather an RCE risk.
“A protection mechanism failure in the Intel DCM software before version 5.0 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access,” a summary by Mitre Corp explained.
Despite the contended vulnerability disclosure process, Ahrens argued successfully enough for Intel to make a one-time exception and reward the researcher with a $10,000 bug bounty – much more than it would normally pay out for this class of security problem.
Intel’s Data Centre Manager Console offers a real-time monitoring and management dashboard that can be used to manage an array of data center assets. Ahrens uncovered vulnerabilities in the product through a source code review of the decompiled application.
Some aspects of the painstaking work that followed and its results may be relevant to other security researchers and technology developers.
“It was the first time I discovered this kind of vulnerability, mainly because I barely looked at Active Directory-integrated software,” Ahrens told The Daily Swig.
“However, it might be the case that other vendors suffer from the same type of vulnerability if they don’t validate the user-defined authentication domain (which, however, should be done since it’s part of the overall authentication schema).”
Technical write-up and sequel
The researcher has published the main aspects of his findings in a detailed technical blog post that recounts the main aspects of the story. A second blog post is due out later this week.
The freelance penetration tester and security researcher added: “This specific bug also always depends on a configured Active Directory group with a well-known SID [security identifier] – so it does not apply to Active Directory implementations, per se.
“You could theoretically also exploit this using single user or custom group objects that don’t have a well-known SIDs, but that would require the attacker to either be able to guess, predict, or leak it somehow else.”
According to Ahrens. Intel resolved the vulnerability by enforcing LDAP-based [controls] and performing an additional certificate check against DCM’s internal SSL keystore, where the Active Directory CA certificate needs to be trusted.
In response to queries from The Daily Swig, Intel said it had issued a public security advisory for the issue as part of its usual process. “It’s resolved via an update to Intel® DCM software version 5.0 or later,” an Intel spokesperson added.
Copyright 2021 Associated Press. All rights reserved.
