← Advisories

Intel Modular Server System 10.18 CSRF Change Admin Password Exploit

Medium

Advisory ID

ZSL-2019-5514

Release Date

13 March 2019

Vendor

Intel Corporation - https://www.intel.com

Affected Version

10.18.100.20130627.38849, 5.5.100.20091202.19584

CVE

N/A

Tested On

lighttpd/1.4.30, lighttpd/1.4.21, PHP/5.3.10, PHP/5.2.2

Summary

The Intel Modular Server System is a blade system manufactured by Intel using their own motherboards and processors. The Intel Modular Server System consists of an Intel Modular Server Chassis, up to six diskless Compute Blades, an integrated storage area network (SAN), and three to five Service Modules.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept

intel_modularserver.htmlTXT

Disclosure Timeline

11.03.2019Vulnerability discovered.

12.03.2019Vendor contacted.

12.03.2019Vendor acknowledges receipt of details.

13.03.2019Vendor informs no CVE and no patches for EoL products.

13.03.2019Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://exchange.xforce.ibmcloud.com/vulnerabilities/158204

[2]https://cxsecurity.com/issue/WLB-2019030115

[3]https://packetstormsecurity.com/files/152081

[4]https://www.exploit-db.com/exploits/46541

Changelog

13.03.2019Initial release

17.03.2019Added reference [1], [2], [3] and [4]