Bug 1798721 (CVE-2020-5208)

Summary: CVE-2020-5208 ipmitool: Buffer overflow in read_fru_area_section function in lib/ipmi_fru.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jbastian, jridky, jsafrane, mbenatto, mvanderw, praveenkpaladugu, vdolezal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipmitool 1.8.19 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in several functions of the IPMItool, where it failed to check data received from a LAN properly. An attacker could use this flaw to craft payloads, which can lead to a buffer overflow and also cause memory corruption, a denial of service, and remote code execution.
Story Points: ---
Clone Of:
: 1799039 1799040 (view as bug list) Environment:
Last Closed: 2020-03-26 10:31:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1798722, 1809152, 1809153, 1809154, 1809155, 1809156, 1809157, 1820773, 1820774, 1821296, 1821297, 1821298    
Bug Blocks: 1798723, 1799039, 1799040    

Description Pedro Sampaio 2020-02-05 21:01:18 UTC
It's been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user. This problem is fixed in version 1.8.19.

Upstream patch:

https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2

References:

https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp

Comment 1 Pedro Sampaio 2020-02-05 21:01:57 UTC
Created ipmitool tracking bugs for this issue:

Affects: fedora-all [bug 1798722]

Comment 2 Vaclav Dolezal 2020-02-06 15:20:39 UTC
Notes:

ipmitool version 1.8.19 is not released yet and AFAIK there is no ETA

there are 6 commits fixing this CVE (oldest first):
e824c23316ae50beb7f7488f2055ac65e8b341f2 fru: Fix buffer overflow vulnerabilities
840fb1cbb4fb365cb9797300e3374d4faefcdb10 fru: Fix buffer overflow in ipmi_spd_print_fru
41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 session: Fix buffer overflow in ipmi_get_session_info
9452be87181a6e83cfcc768b3ed8321763db50e4 channel: Fix buffer overflow
d45572d71e70840e0d4c50bf48218492b79c1a10 lanp: Fix buffer overflows in get_lan_param_select
7ccea283dd62a05a320c1921e3d8d71a87772637 fru, sdr: Fix id_string buffer overflows

Comment 4 Marco Benatto 2020-03-02 13:18:11 UTC
External References:

https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp

Comment 8 Marco Benatto 2020-03-02 14:04:16 UTC
Statement:

The ipmitool package distributed with Red Hat Enterprise Linux versions are compiled using gcc's stack-protector feature. The stack canary generated by this feature helps mitigating any remote code execution attacks for this flaw.

Comment 9 Marco Benatto 2020-03-02 14:07:30 UTC
Mitigation:

There's no mitigation available for this issue, although a few actions help to reduce the attack risk:

1) Avoid to run `ipmitool` as privileged user;
2) Avoid to run `ipmitool` against non-trusted IPMI-enabled devices;

Comment 11 Marco Benatto 2020-03-02 14:51:21 UTC
There's an issue with IPMI tool where, in several code paths, where it fails to validate in-memory buffer offsets. When receiving data from a LAN party, ipmitool neglect to proper check the data which may lead to heap based buffer overflow in several code paths. An attack may leverage this issue by crafting special payloads which may cause memory corruption, DoS and possible remote code execution.

Talking more specifically about the Remote Code Execution possibility, ipmitool package shipped with Red Hat Enterprise Linux versions are compiled using gcc's stack-protector mechanism as demonstrated bellow by the disassembling one of affected functions:

gef➤  disassemble/m read_fru_area                                     
Dump of assembler code for function read_fru_area:                
617     {                                                                                                                                    
   0x00000000000361b0 <+0>:     endbr64                      
   0x00000000000361b4 <+4>:     push   r15                            
   0x00000000000361b6 <+6>:     mov    r15d,ecx
   0x00000000000361b9 <+9>:     push   r14
   0x00000000000361bb <+11>:    push   r13
   0x00000000000361bd <+13>:    push   r12
   0x00000000000361bf <+15>:    push   rbp
   0x00000000000361c0 <+16>:    push   rbx                            
   0x00000000000361c1 <+17>:    sub    rsp,0x38
   0x00000000000361c5 <+21>:    movzx  r14d,WORD PTR [rsi]         
   0x00000000000361c9 <+25>:    mov    BYTE PTR [rsp+0xf],dl
   0x00000000000361cd <+29>:    mov    rax,QWORD PTR fs:0x28 <---------- stack canary being loaded from thread data segment
   0x00000000000361d6 <+38>:    mov    QWORD PTR [rsp+0x28],rax <------- then being moved into proper position at stack
   0x00000000000361db <+43>:    xor    eax,eax                        

When returning:
   0x00000000000362bf <+271>:   cmp    r15d,ebx
   0x00000000000362c2 <+274>:   sbb    eax,eax
   0x00000000000362c4 <+276>:   mov    rbx,QWORD PTR [rsp+0x28] <----------
   0x00000000000362c9 <+281>:   xor    rbx,QWORD PTR fs:0x28 <-------------
   0x00000000000362d2 <+290>:   jne    0x364c4 <read_fru_area+788> <-------
						                          |
								gef➤  x/i read_fru_area+788
								0x364c4 <read_fru_area+788>: call   0x1a320 <__stack_chk_fail@plt>
   0x00000000000362d8 <+296>:   add    rsp,0x38
   0x00000000000362dc <+300>:   pop    rbx
   0x00000000000362dd <+301>:   pop    rbp
   0x00000000000362de <+302>:   pop    r12
   0x00000000000362e0 <+304>:   pop    r13
   0x00000000000362e2 <+306>:   pop    r14
   0x00000000000362e4 <+308>:   pop    r15
   0x00000000000362e6 <+310>:   ret    

This action helps to mitigate attacks which tries to inject and execute malicious codes.

Comment 14 errata-xmlrpc 2020-03-26 08:12:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0979 https://access.redhat.com/errata/RHSA-2020:0979

Comment 15 Product Security DevOps Team 2020-03-26 10:31:52 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5208

Comment 16 errata-xmlrpc 2020-03-26 14:48:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0981 https://access.redhat.com/errata/RHSA-2020:0981

Comment 17 errata-xmlrpc 2020-03-26 20:12:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0984 https://access.redhat.com/errata/RHSA-2020:0984

Comment 21 errata-xmlrpc 2020-04-06 16:53:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:1331 https://access.redhat.com/errata/RHSA-2020:1331

Comment 22 errata-xmlrpc 2020-04-16 08:53:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:1486 https://access.redhat.com/errata/RHSA-2020:1486

Comment 23 errata-xmlrpc 2020-05-19 14:41:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:2213 https://access.redhat.com/errata/RHSA-2020:2213

Comment 24 errata-xmlrpc 2020-05-26 08:48:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:2284 https://access.redhat.com/errata/RHSA-2020:2284

Comment 25 errata-xmlrpc 2020-05-26 09:39:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:2276 https://access.redhat.com/errata/RHSA-2020:2276

Comment 26 errata-xmlrpc 2020-05-26 11:16:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2286 https://access.redhat.com/errata/RHSA-2020:2286