Intel has announced the elimination of 22 vulnerabilities in the firmware of their server motherboards, server systems and computing modules. Three vulnerabilities, one of which is assigned a critical level appear in the firmware of the Emulex Pilot 3 BMC used by Intel products.
BMC is a specialized controller installed on servers, what tIt has its own CPU, memory, storage, and interfaces probe polling, which provides a low-level interface to monitor and control server equipment.
The vulnerabilities allow unauthenticated access to the management console (KVM), bypass authentication when emulating USB storage devices and cause a remote buffer overflow in the Linux kernel used by BMC.
The CVE-2020-8708 vulnerability allows an attacker to unauthenticated that access a LAN segment shared with a vulnerable server gain access to the BMC control environment. It is observed that the vulnerability exploitation technique is very simple and reliable, since the problem is caused by an architecture error.
In addition, according to the researcher who identified the vulnerability, work with BMC via an exploit is much more convenient than using a normal Java client.
The affected hardware includes the Intel server system families R1000WT, R2000WT, R1000SP, LSVRP, LR1304SP, R1000WF and R2000WF, motherboards S2600WT, S2600CW, S2600KP, S2600TP, S1200SP, S2600WF, SB2600ST ... in firmware update 00.
According to unofficial data, the firmware for BMC Emulex Pilot 3 was written by AMI, therefore the manifestation of vulnerabilities in third-party systems is not excluded.
The problems are present in patches external to the Linux kernel and the user space control process, the code of which is characterized by the researcher who identified the problem as the worst code he has encountered.
Regarding the other vulnerabilities fixed:
- CVE-2020-8730: causes an overflow on some boards that can allow an authenticated user to potentially enable privilege escalation through local access.
- CVE-2020-8731: You can allow an authenticated user to potentially enable privilege escalation through local access.
- CVE-2020-8707: Buffer overflow can potentially allow an unauthenticated user to enable privilege escalation through adjacent access.
- CVE-2020-8719: Buffer overflow in the subsystem can allow a privileged user to potentially enable privilege escalation through local access.
- CVE-2020-8721: incorrect input validation can potentially allow a privileged user to enable privilege escalation through local access.
- CVE-2020-8710: Buffer overflow in the boot loader can potentially allow a privileged user to enable privilege escalation through local access.
- CVE-2020-8711: Improper access control in the boot loader can potentially allow a privileged user to enable privilege escalation through local access.
- CVE-2020-8712: Buffer overflow in a verification process for some boards can allow an authenticated user to potentially enable privilege escalation through local access.
- CVE-2020-8718: Buffer overflow in a subsystem for some boards can allow an authenticated user to potentially enable privilege escalation through local access.
- CVE-2020-8722: Buffer overflow in a subsystem for some boards can allow a privileged user to potentially enable privilege escalation through local access.
- CVE-2020-8732: Heap-based buffer overflow in firmware can allow an unauthenticated user to potentially enable privilege escalation through adjacent access.
- CVE-2020-8709: improper authentication on socket services for some can allow an unauthenticated user to potentially enable privilege escalation through adjacent access.
- CVE-2020-8723: cross-site scripting for some boards may allow an unauthenticated user to potentially enable privilege escalation through adjacent access.
- CVE-2020-8713: improper authentication for some boards can potentially allow an unauthenticated user to enable privilege escalation through adjacent access.