Critical Vulnerability In OpenBMCs For Servers, Leads To Full Compromise


BMCs are specialized microcontrollers embedded in servers and other devices, responsible for monitoring and managing hardware health, including temperature, voltage, and system logs.

Cybersecurity researchers at Tetrel Sec recently discovered a critical vulnerability in the slpd-lite sub-component of the OpenBMC Project, a community-driven initiative to develop server-standard Baseboard Management Controllers (BMCs). 

EHA

The flaw was given the superior score of 9.8 in CVSSv3.1, and it’s been tracked as “CVE-2024-41660,” which poses a significant risk to server security. 

This security flaw only impacts the default OpenBMC builds where slpd-lite service is installed and enabled.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

OpenBMCs For Servers

Since BMCs manage server hardware, a compromise of these devices could lead to remote management risks and expose multiple layers of security across the server. 

For all builds that don’t explicitly disable the service, users are urgently required to switch to the fixed one as they are vulnerable. 

The most recent commit to OpenBMC implementation of slpd-lite had two significant vulnerabilities.

The first vulnerability, which occurs in the parseHeader() function is an out-of-bounds (OOB) heap read that is caused by insufficient validation of the language tag length.

By manipulating the langtagLen field, a hacker can potentially read any arbitrary heap data.

The second one encompasses an unsigned integer wrap that is carried out in prepareHeader() where the uint8_t length variable can go below zero due to incorrect handling of req.header.langtag.length().

Consequently, it prompts an OOB heap to write while copying data into an undersized buffer.

Both vulnerabilities arise from mishandling of input by attackers in the UDP-based slpd service that operates as root and listens on port 427 (svrloc). 

The memory secrets or code addresses may be disclosed, and this makes those vulnerabilities extremely serious. They are also prone to heap corruption that can allow running an arbitrary code. 

This means that comprehensive input validation and careful memory management should be done for the following functions which are related to affected code paths to network-facing services:- 

  • “udpsocket::Channel::read()” 
  • “slp::parser::parseBuffer()” 
  • “slp::handler::processRequest()”

Tetrel verified heap corruption vulnerabilities in slpd-lite on Ubuntu 22.04.04 LTS through a systematic process. 

This involved installing build-essential and other dependencies, cloning the slpd-lite repository (commit 55aac8e1), modifying the listening port to 4427, and compiling with Address Sanitizer (ASAN) using Clang-15 and Meson. 

A Python proof-of-concept script was developed to exploit the vulnerabilities, manipulating the SLP header fields, particularly the Language Tag Length. 

The ASAN report revealed a heap-buffer-overflow at address 0x63000000fe0e, with a READ of size 65535, implicating functions like parseHeader and parseBuffer. 

Two distinct vulnerabilities were identified, both potentially allowing full BMC compromise by network residents or remote attackers, depending on deployment. The severity is heightened by the common exposure of BMC network services to the internet.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access



Source link