OpenBMC Security Advisory - An ipmid buffer overflow can lead to privilege escalation and denial of service
Joseph Reynolds
joseph-reynolds at charter.net
Tue Oct 23 14:02:28 AEDT 2018
I posted the following in https://github.com/openbmc/openbmc/issues/3415:
> Buffer overflows were discovered in OpenBMC's IPMI Host implementation which can lead to memory corruption which can then lead to privilege escalation (running arbitrary commands as the root user), and to denial of service (by crashing the ipmid daemon).
>
> The CVSS score for these vulnerabilities is "8.2 High", with temporal score "6.9 Medium", with the following notes:
> https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RC:U
>
> AV: the attack is launched from the host connection
> AC: no special circumstances are needed
> PR: the attacker must already own the host
> UI: n/a
> S: changed, because ipmid can run commands as root
> C/I/A: the BMC is totally compromised
> E: unproven
> RC: unknown, because there is no known exploit
>
> The fixes are in the https://github.com/openbmc/phosphor-host-ipmid source code repository as three git commits ending with git commit ID edb8bb069b5a5406dd06a6ef38251372ea988f5c.
>
> For more information, see OpenBMC contact information at https://github.com/openbmc/openbmc.
>
> Credit for finding these problems: Jenna Kallaher, Google Security Team
More information about the openbmc
mailing list