CVE-2013-4786 for SDX LOM vulnerability

Steps to mitigate CVE-2013-4786:

Below are the recommendations for the reported vulnerability CVE-2013-4786:

1. Setup SSL on the LOM port to encrypt your username and password.

2. Follow the Netscaler Secure Deployment Guide to isolate all management ports including the BMC management port on a management VLAN as is industry best practice. This reduces the threat to internal employees with access to the VLAN. Internet hackers cannot get in. The Netscaler has three zones. Internet Zone, Intranet Zone, Management Zone. For an external hacker to get to the BMC, they would need to break through the Netscaler or other Gateway to get there once VLANs are setup.

3. Use the latest BMC image for their platform to ensure RAKP+ is in use.

4. Security conscious customers can set a random 16 character password easily using any number of free password generators. The trusted AntiVirus company, Symantec/Norton has one on their SSL encrypted website:

https://identitysafe.norton.com/password-generator/

5. Follow the NetScaler Secure Deployment Guide to setup RADIUS based centrally-controlled user/password and role based management allows quick network-wide changes to passwords, roles and users. The RADIUS/Active Directory admin can set the passwords for the BMC roles ensuring that a password generator is used, and that passwords expire.

IPMI authentication is local and is separate from the network-based LDAP auth.

The only currently credible defense against breaking IPMI auth, short of turning off the IPMI port (which isn’t possible currently), is having truly random 128 bit passwords. Computational capabilities of the LOM do not matter here since the attacker performs the computation offline and is only restricted by the capabilities of his own computational cluster.

At this point, isolating/air-gapping LOM to a separate management VLAN and setting 16 character random passwords is a good way to prevent attacks.

Related:

  • No Related Posts

Leave a Reply