Bug 2308375 (CVE-2024-42934)

Summary: CVE-2024-42934 openipmi: missing check on the authorization type on incoming LAN messages in IPMI simulator
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the IPMI simulator (ipmi_sim) component of OpenIPMI. Due to a missing check in the authorization type on incoming LAN messages, an attacker may be able to trigger a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2308382, 2308383    
Bug Blocks:    

Description OSIDB Bzimport 2024-08-28 20:07:22 UTC 
There was a bug found by AWS Security that affected the IPMI simulator, ipmi_sim. It does NOT affect the main library, just the simulator. This is mainly used for testing (by OpenIPMI and others) but I am fairly sure that some people are using this in production systems to control QEMU systems and to provide serial over LAN access to those systems. Unfortunately, I do not know who is using it for this purpose.

The bug is a missing check on the authorization type on incoming LAN messages. This can certainly be used to DOS ipmi_sim by causing it to crash by doing an index outside of an array. Since the value is 4 bits for old IPMI LAN and 8 bits for RMCP+, there is a limited range of what can be addressed. So there is a low probability that it could be used to cause messages to be authenticated without being actually authenticated. There is a very low probability it can be used for arbitrary code
execution.

So if you are using ipmi_sim, you should upgrade to OpenIPMI 2.0.36 or later.

This is fixed by b52e8e2538b2 "lanserv: Check some bounds on incoming messages" with another fix, 4c129d0540f "lanserv: Fix an issue with authorization range checking" that fixes a bug introduced by the first change.
Comment 1 errata-xmlrpc 2024-10-14 02:43:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:8037 https://access.redhat.com/errata/RHSA-2024:8037
Comment 2 errata-xmlrpc 2024-10-14 18:20:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:8081 https://access.redhat.com/errata/RHSA-2024:8081