Security expert receives a $10,000 bug bounty. Details of how a security researcher was able to breach Intel’s Data Center Manager ( Data Centre Manager Authentication Flaw )have been made public (DCM).
More specifically, Julien Ahrens of RCE Security was able to get through Intel DCM’s authentication by faking Kerberos and LDAP answers. In doing so, they claim that they were able to create an exploit chain that led to remote code execution (RCE).
Intel admits that Ahrens found a vulnerability, identified as CVE-2022-33942, and given a severity rating of 8.8 but questions the severity of the flaw. Intel claims that the problem is only a privilege elevation flaw, not an RCE risk.
According to a summary by Mitre Corp, “a protective mechanism failure in the Intel DCM software before version 5.0. This version may allow an unauthenticated user to enable privilege escalation via neighboring access potentially.”
Ahrens persuaded Intel to make an exception and give the researcher a $10,000 bug bounty despite the contested vulnerability disclosure process, which is substantially more than it usually would for this kind of security issue.
Intel’s Data Centre Manager Console provides a real-time monitoring and management dashboard, which may be used to manage various data center assets. Ahrens reviewed the decompiled application’s source code to find flaws in the product.
Other security researchers and technology developers may find certain portions of the arduous effort that ensued and its outcomes useful.
Ahrens told The Daily Swig, “It was the first time I uncovered this kind of vulnerability ( data centre manager authentication flaw ). Largely because I hardly looked at Active Directory-integrated software.”
However, suppose other vendors need to validate the user-defined authentication domain (which they should, as it’s a component of the overall authentication schema). In that case, they may experience the same type of vulnerability.
Technical write-up and sequel
In a thorough technical blog post summarizing the incident’s significant points, the researcher has revealed the main points of his findings. This week’s second blog entry should go live later.
“Data centre manager authentication flaw also always requires a configured Active Directory organization with a well-known SID [security identification]. Therefore, it does not apply to Active Directory implementation, per se,” the independent penetration tester and security researcher continued.
Using a single user or custom group object without a well-known SID may also be used to exploit this. But doing so requires the attacker to be able to guess, forecast, or leak it in some other way.
As stated by Ahrens. By implementing LDAP-based [controls] and conducting an extra certificate check against DCM’s internal SSL Keystore. The Active Directory CA certificate has to be trusted, Intel was able to close the vulnerability.
Intel stated that a public security alert had been published for the problem as a routine procedure. An Intel representative continued, “It’s fixed by an upgrade to Intel® DCM system software 5.0 or later.
