CVE-2022-2809: Denial of Service Vulnerability in OpenBMC Project's bmcweb via Multipart Parser

The OpenBMC Project, an open-source endeavor to produce Baseboard Management Controllers (BMC) for servers, has been discovered to contain a critical vulnerability in bmcweb that can lead to a denial of service (DoS) attack. The vulnerability, identified as CVE-2022-2809, arises from an issue in how multipart_parser handles unclosed HTTP headers.

This blog post will provide a detailed analysis of the vulnerability, including its root causes, code snippets, and links to original references. We will conclude by illustrating how attackers can exploit the vulnerability to conduct DoS attacks and recommend potential mitigation strategies.

How the Vulnerability Occurs

The vulnerability is related to the multipart_parser code in bmcweb. We used the AFL++ fuzzer with address sanitizer enabled to detect the smallest memory corruptions possible within the code.

It was revealed that the multipart_parser code has a problem handling unclosed HTTP headers. If an HTTP header of sufficient length is passed in the multipart form without a colon, a one-byte overwrite occurs on the heap. If this operation is conducted multiple times in a loop, it can cause a DoS, as demonstrated in the exploit details section below.

Here's a snippet of the code from OpenBMC Project's bmcweb that illustrates the vulnerability

if(index == data.size())
{
    std::string_view key(currentToken.begin() + 1,
                         currentToken.end() - currentToken.begin());
    std::string_view value;
    handler->on_field_header(std::move(key), std::move(value));
}

As seen above, if the index equals the size of the data, the headers do not have a proper closing (:). This causes a problem in how the multipart_parser handles the unclosed headers, leading to the vulnerability.

1. OpenBMC Project's bmcweb GitHub Repository: https://github.com/openbmc/bmcweb
2. CVE-2022-2809 Denial of Service Vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2809

Exploit Details

An attacker can exploit this vulnerability in bmcweb by sending a long HTTP header in the multipart form without a colon. When executed multiple times in a loop, it results in a one-byte overwrite on the heap, eventually leading to a denial of service (DoS) condition.

Mitigation Strategies

To protect against this vulnerability, we recommend that developers working on OpenBMC-based server products update their bmcweb code to correctly handle HTTP headers, potentially by adding appropriate checks to ensure they are correctly closed with a colon.

Additionally, administrators responsible for OpenBMC-based servers should stay informed about the progress being made to resolve this vulnerability and apply necessary patches and preventative measures as they become available.

Timeline

Published on: 10/27/2022 13:15:00 UTC
Last modified on: 10/31/2022 12:32:00 UTC