Bug 2308375 (CVE-2024-42934) - CVE-2024-42934 openipmi: missing check on the authorization type on incoming LAN messages in IPMI simulator
Summary: CVE-2024-42934 openipmi: missing check on the authorization type on incoming ...
Keywords:
Status: NEW
Alias: CVE-2024-42934
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2308382 2308383
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-08-28 20:07 UTC by OSIDB Bzimport
Modified: 2024-08-29 16:18 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the IPMI simulator (ipmi_sim) component of OpenIPMI. Due to a missing check in the authorization type on incoming LAN messages, an attacker may be able to trigger a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2024-08-28 20:07:22 UTC
There was a bug found by AWS Security that affected the IPMI simulator, ipmi_sim. It does NOT affect the main library, just the simulator. This is mainly used for testing (by OpenIPMI and others) but I am fairly sure that some people are using this in production systems to control QEMU systems and to provide serial over LAN access to those systems. Unfortunately, I do not know who is using it for this purpose.

The bug is a missing check on the authorization type on incoming LAN messages. This can certainly be used to DOS ipmi_sim by causing it to crash by doing an index outside of an array. Since the value is 4 bits for old IPMI LAN and 8 bits for RMCP+, there is a limited range of what can be addressed. So there is a low probability that it could be used to cause messages to be authenticated without being actually authenticated. There is a very low probability it can be used for arbitrary code
execution.

So if you are using ipmi_sim, you should upgrade to OpenIPMI 2.0.36 or later.

This is fixed by b52e8e2538b2 "lanserv: Check some bounds on incoming messages" with another fix, 4c129d0540f "lanserv: Fix an issue with authorization range checking" that fixes a bug introduced by the first change.


Note You need to log in before you can comment on or make changes to this bug.