OpenBMC is an open-source project that aims to produce an open, secure, and customizable baseboard management controller (BMC) software stack for servers and embedded devices. OpenBMC plays a crucial role in monitoring the health and managing the resources of these systems. Recently, a vulnerability was discovered in OpenBMC version 2.9, identified as CVE-2021-39295, that allows an attacker to cause a denial of service via crafted IPMI messages targeting the netipmid (IPMI lan+) interface. In this post, we'll discuss this vulnerability in more detail, providing code snippets, links to original references, and information about the exploit itself.
Vulnerability Description
CVE-2021-39295 affects the netipmid (IPMI lan+) interface in OpenBMC version 2.9. By sending a specially crafted IPMI message to the vulnerable instance, an attacker can cause a denial of service (DoS) to the BMC, disrupting its operation, and potentially affecting the entire system.
Exploit Details
To exploit this vulnerability, the attacker needs to send a specifically crafted IPMI message to the targeted OpenBMC instance. The malicious message contains an incorrect checksum value that, when processed by the netipmid service, causes an unexpected exception and halts the service's operation, resulting in a denial of service.
Here's a code snippet demonstrating the vulnerable implementation
void IpmiInterface::Checksum16(const void *buf, size_t len, uint16_t *sum)
{
const uint8_t *data = reinterpret_cast<const uint8_t *>(buf);
while (len > 1)
{
*sum += ntohs(*reinterpret_cast<const uint16_t *>(data));
data += 2;
len -= 2;
}
if (len)
{
*sum += ntohs(*data << 8);
}
}
In this function, the OpenBMC code calculates the 16-bit checksum value from the provided buffer (buf). However, it does not handle the case where the buffer length (len) is odd, leading to an out-of-bounds read and undefined behavior. This is what an attacker can exploit to cause a denial of service.
Original references related to this vulnerability can be found at the following links
1. CVE-2021-39295 - NVD
2. OpenBMC GitHub Repository
3. OpenBMC Security Advisory
Mitigation and Conclusion
Although this vulnerability is serious, it can be mitigated by updating the affected OpenBMC installations to a fixed version or applying a patch to address the issue. It's always recommended to follow good security practices, such as monitoring security advisories related to the software you use and promptly applying updates and patches as they become available.
In this post, we examined the CVE-2021-39295 vulnerability in OpenBMC 2.9, presented the exploit details, provided code snippets, and linked to original references for further information. As with any critical software component, it's essential to remain vigilant about potential vulnerabilities and weaknesses in the system and prioritize fixing them to ensure the security and stability of the underlying infrastructure.
Timeline
Published on: 04/15/2023 20:16:00 UTC
Last modified on: 04/25/2023 18:23:00 UTC