It's been found that multiple functions in ipmitool before 1.8.19 neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user. This problem is fixed in version 1.8.19. Upstream patch: https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2 References: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
Created ipmitool tracking bugs for this issue: Affects: fedora-all [bug 1798722]
Notes: ipmitool version 1.8.19 is not released yet and AFAIK there is no ETA there are 6 commits fixing this CVE (oldest first): e824c23316ae50beb7f7488f2055ac65e8b341f2 fru: Fix buffer overflow vulnerabilities 840fb1cbb4fb365cb9797300e3374d4faefcdb10 fru: Fix buffer overflow in ipmi_spd_print_fru 41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 session: Fix buffer overflow in ipmi_get_session_info 9452be87181a6e83cfcc768b3ed8321763db50e4 channel: Fix buffer overflow d45572d71e70840e0d4c50bf48218492b79c1a10 lanp: Fix buffer overflows in get_lan_param_select 7ccea283dd62a05a320c1921e3d8d71a87772637 fru, sdr: Fix id_string buffer overflows
External References: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
Upstream commits for this issue: https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637 https://github.com/ipmitool/ipmitool/commit/d45572d71e70840e0d4c50bf48218492b79c1a10 https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4 https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10 https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2
Statement: The ipmitool package distributed with Red Hat Enterprise Linux versions are compiled using gcc's stack-protector feature. The stack canary generated by this feature helps mitigating any remote code execution attacks for this flaw.
Mitigation: There's no mitigation available for this issue, although a few actions help to reduce the attack risk: 1) Avoid to run `ipmitool` as privileged user; 2) Avoid to run `ipmitool` against non-trusted IPMI-enabled devices;
There's an issue with IPMI tool where, in several code paths, where it fails to validate in-memory buffer offsets. When receiving data from a LAN party, ipmitool neglect to proper check the data which may lead to heap based buffer overflow in several code paths. An attack may leverage this issue by crafting special payloads which may cause memory corruption, DoS and possible remote code execution. Talking more specifically about the Remote Code Execution possibility, ipmitool package shipped with Red Hat Enterprise Linux versions are compiled using gcc's stack-protector mechanism as demonstrated bellow by the disassembling one of affected functions: gef➤ disassemble/m read_fru_area Dump of assembler code for function read_fru_area: 617 { 0x00000000000361b0 <+0>: endbr64 0x00000000000361b4 <+4>: push r15 0x00000000000361b6 <+6>: mov r15d,ecx 0x00000000000361b9 <+9>: push r14 0x00000000000361bb <+11>: push r13 0x00000000000361bd <+13>: push r12 0x00000000000361bf <+15>: push rbp 0x00000000000361c0 <+16>: push rbx 0x00000000000361c1 <+17>: sub rsp,0x38 0x00000000000361c5 <+21>: movzx r14d,WORD PTR [rsi] 0x00000000000361c9 <+25>: mov BYTE PTR [rsp+0xf],dl 0x00000000000361cd <+29>: mov rax,QWORD PTR fs:0x28 <---------- stack canary being loaded from thread data segment 0x00000000000361d6 <+38>: mov QWORD PTR [rsp+0x28],rax <------- then being moved into proper position at stack 0x00000000000361db <+43>: xor eax,eax When returning: 0x00000000000362bf <+271>: cmp r15d,ebx 0x00000000000362c2 <+274>: sbb eax,eax 0x00000000000362c4 <+276>: mov rbx,QWORD PTR [rsp+0x28] <---------- 0x00000000000362c9 <+281>: xor rbx,QWORD PTR fs:0x28 <------------- 0x00000000000362d2 <+290>: jne 0x364c4 <read_fru_area+788> <------- | gef➤ x/i read_fru_area+788 0x364c4 <read_fru_area+788>: call 0x1a320 <__stack_chk_fail@plt> 0x00000000000362d8 <+296>: add rsp,0x38 0x00000000000362dc <+300>: pop rbx 0x00000000000362dd <+301>: pop rbp 0x00000000000362de <+302>: pop r12 0x00000000000362e0 <+304>: pop r13 0x00000000000362e2 <+306>: pop r14 0x00000000000362e4 <+308>: pop r15 0x00000000000362e6 <+310>: ret This action helps to mitigate attacks which tries to inject and execute malicious codes.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0979 https://access.redhat.com/errata/RHSA-2020:0979
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-5208
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0981 https://access.redhat.com/errata/RHSA-2020:0981
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0984 https://access.redhat.com/errata/RHSA-2020:0984
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:1331 https://access.redhat.com/errata/RHSA-2020:1331
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2020:1486 https://access.redhat.com/errata/RHSA-2020:1486
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:2213 https://access.redhat.com/errata/RHSA-2020:2213
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2020:2284 https://access.redhat.com/errata/RHSA-2020:2284
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Red Hat Enterprise Linux 7.3 Telco Extended Update Support Via RHSA-2020:2276 https://access.redhat.com/errata/RHSA-2020:2276
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:2286 https://access.redhat.com/errata/RHSA-2020:2286