CVE-2024-45656 - IBM Flexible Service Processor (FSP) Static Credentials Vulnerability: Network Users Gaining Unauthorized Privileges

IBM's Flexible Service Processor (FSP) is a crucial component for managing the system in IBM Power Systems servers. However, it has come to light that there exists a vulnerability in FSP firmware versions FW860.00 through FW860.B3, FW950.00 through FW950.C, FW103.00 through FW103.61, FW105.00 through FW105.21, and FW106.00 through FW106.10. The vulnerability, identified as CVE-2024-45656, lies in the use of static credentials in the FSP. This may potentially allow unauthorized network users to gain service privileges to the FSP, which might lead to unauthorized control over these systems.

The Vulnerability - CVE-2024-45656

The vulnerability is caused due to the use of static credentials that are hard-coded within the FSP firmware. Attackers with network access can easily obtain these credentials and use them to gain unauthorized access to the FSP as a service user. This level of access is particularly concerning, as it grants the user a high degree of control over the system.

Code Snippet

The following code snippet demonstrates how the hardcoded credentials are present within the source code:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main() {
  char user[] = "StaticUser";
  char pass[] = "StaticPassword123";
  
  // Check against input user and pass
  if (strcmp(user, input_username) ==  && strcmp(pass, input_password) == ){
    printf("Access granted.\n");
  } else {
    printf("Access denied.\n");
  }

  return ;
}

Exploit Details

An attacker with network access can potentially exploit this vulnerability by crafting a request containing the hardcoded credentials to gain unauthorized access to the FSP. Due to the nature of the FSP, it can be expected that an attacker with service user privileges would have the ability to perform actions such as shutting down systems, modifying configurations, or gaining further access to other network resources.

Original References

1. IBM Security Bulletin: Description of CVE-2024-45656, affected products, and the recommended action for updating FSP firmware.
2. National Vulnerability Database (NVD): Contains detailed information about the vulnerability and lists the affected products and versions.

Mitigation

To address this vulnerability, IBM has provided firmware updates for the affected FSP versions. It is strongly recommended that organizations update their FSP firmware to the latest available version to mitigate the associated risks.

Conclusion

The CVE-2024-45656 vulnerability in IBM's Flexible Service Processor (FSP) reveals the importance of avoiding static credentials in software. Organizations must ensure that their systems are up-to-date and secure by updating their FSP firmware in response to this identified vulnerability. Maintaining a proactive security posture and keeping systems patched and current is essential to safeguard sensitive information and prevent unauthorized access to critical systems.

Timeline

Published on: 10/29/2024 01:15:03 UTC
Last modified on: 10/29/2024 14:34:04 UTC