Technical Guides

Understanding the IPMI v2.0 Password Hash Disclosure

What is IPMI v2.0?

IPMI stands for Intelligent Platform Management Interface. It’s a standard that allows administrators to manage servers remotely, even if the operating system is down or the machine is powered off. IPMI v2.0 is the most common version and is found in many enterprise-grade servers.

You’ll typically find IPMI enabled on:

  • Dell (iDRAC)
  • HP (iLO)
  • Supermicro
  • Lenovo
  • Cisco UCS
  • Other server-grade hardware with a Baseboard Management Controller (BMC)

These systems often have IPMI enabled by default, especially in data centre or remote server environments.

What Is the Vulnerability?

The IPMI v2.0 Password Hash Disclosure vulnerability (CVE-2013-4786) allows an attacker to extract password hashes from a server without logging in.

Here’s how it works:

  1. The attacker sends a specially crafted request to the server’s IPMI interface (usually on UDP port 623).
  2. The server responds with a salted password hash for the requested username.
  3. The attacker can then crack the hash offline using tools like Hashcat or John the Ripper.

This happens because of a flaw in the RAKP (Remote Authenticated Key-Exchange Protocol) used by IPMI v2.0. The protocol exposes sensitive data before verifying the user’s identity.

What’s the Risk?

  • No login required: Attackers don’t need valid credentials to get the hash.
  • Offline cracking: Once the hash is captured, it can be cracked without further interaction.
  • Full control: If the attacker cracks an admin password, they can reboot the server, change BIOS settings, or install malicious firmware.
  • Silent attack: The process doesn’t trigger alerts or logs on most systems.

In short, this vulnerability can lead to complete compromise of the server, especially if IPMI is exposed to the internet or a shared network.

How to Mitigate the Risk

Here are practical steps to reduce or eliminate the risk:

  1. Disable IPMI over LAN if you don’t need it.
  2. Restrict access to IPMI interfaces using firewalls or VLANs.
  3. Use strong, complex passwords for all IPMI accounts.
  4. Ensure firmware is up-to-date, some vendors have released mitigations.
  5. Monitor network traffic for unusual activity on UDP port 623.
  6. Use role-based access control and disable unused accounts.
Previous ArticleNext Article

Arrange a FREE Consultation

Want to learn more about improving your organisation’s security? Our team is here to answer your questions and explain the options available. In a free consultation, we’ll help you understand the services we offer and how they can support your goals. It’s a simple, no-obligation way to start exploring the right approach for your business.