VU#163057: BMC software fails ... Note

VU#163057: BMC software fails to validate IPMI session.

The IPMI implementations in multiple manufacturer's Baseboard Management Controller (BMC) software are vulnerable to IPMI session hijacking. An attacker with access to the BMC network can exploit the lack of session integrity to hijack sessions and execute arbitrary IPMI commands on the BMC. IPMI is a computer interface specification that provides low-level management capabilities and is supported by many BMC manufacturers. It allows for transparent access to hardware and supports pre-boot capabilities. The security researcher discovered two vulnerabilities related to BMC software and session management, including weak randomization and failure to enforce previously negotiated IPMI 2.0 session parameters. These vulnerabilities can allow an unauthenticated attacker with access to the BMC network to predict IPMI session IDs and/or BMC random numbers, replay a previous session, or hijack an IPMI session. This can enable the attacker to inject arbitrary commands into the BMC and perform high-privileged functions. To address these vulnerabilities, apply an update from the vendor and restrict access to the BMC network by only allowing connections from trusted hosts and networks. The security researcher who reported these vulnerabilities wishes to remain anonymous.