Privilege escalation in OpenBMC

Published: 2019-01-24

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2019-6260
CWE-ID	CWE-264
Exploitation vector	Local network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	OpenBMC Web applications / Other software
Vendor	openbmc

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Privilege escalation

EUVDB-ID: #VU17188

Risk: Low

CVSSv4.0: 7.4 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2019-6260

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows an adjacent unauthenticated attacker to gain elevated privileges on the system.

The vulnerability exists in ASPEED ast2400 and ast2500 Baseband Management Controller (BMC) hardware due to an error in implementation of Advanced High-performance Bus (AHB) bridges on the LPC and PCIe buses. An adjacent attacker can gain read and write access to the BMC’s physical address space from the host and control of the BMC.

Note: the vulnerability has been nicknamed "pantsdown".

Mitigation

The vulnerability has been addressed in the version 2.6.

Vulnerable software versions

OpenBMC: 1.0.0 - 2.4

CPE2.3

External links

https://www.flamingspork.com/blog/2019/01/23/cve-2019-6260:-gaining-control-of-bmc-from-the-host-processor/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.