Libupnp Buffer Overflow in Motherboards with Nuvoton Chips with IPMI WPCM450R Software

From Thomas-Krenn-Wiki
Jump to: navigation, search

Supermicro Motherboards with Nuvoton WPCM450R IPMI Chip with ATEN-Software have encountered some security loopholes with libupnp library when in use with older versions of IPMI firmware.[1]

In this article you will find information about the security issue and how to close this security loophole by updating the IPMI firmware.

Update - see also:

General Safety Information

We recommend administrative access such as IPMI, or SSH services not to operate over the internet, but to allow VPN access to such services by authorized persons only through the use of a firewall. This recommendation applies regardless of the vulnerability issue described here.

Affected Hardware

This affects server motherboards that contain Nuvoton WPCM450R IPMI Chips with ATEN-Software.

That includes the following motherboards from Thomas Krenn:

Details

UPnP is an architecture for recognizing (Discovery), notifying and controlling devices in a network, regardless of operating system or programming language. UPnP is based on common Internet standards and specifications such as TCP/IP, HTTP und XML.

The portable SDK for UPnP-devices is affected by buffer overflows. These vulnerabilities can be used during the processing of incoming SSDP requests to UDP-Port 1900. The security vulnerabilities are documented in the following CVE IDs: CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964 und CVE-2012-5965.

Immplications

An attacker with network access to the IPMI IP address can trigger an alteration by sending SSDP requests of a buffer overflow in the IPMI baseboard management controller (BMC). Upon successful exploitation of the vulnerability arbitrary commands of the Linux IPMI BMCs can be executed with root privileges.

Counter Measures

This vulnerability can be rectified by an IPMI firmware update.

The following IPMI firmware versions can remove your componets from vulnerability:

Thomas Krenn strongly recommends that all affected customers to execute any such IPMI firmware updates and not to conduct administrative access such as IPMI, or SSH services on the Internet, but to only, via a firewall / VPN, allow access to such services by authorized persons.

For additional information about the firmware, please refer to this article IPMI Firmware Update for Supermicro Motherboards with ATEN IPMI Software.

References

  1. Vulnerability Note VU#922681 - Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP (www.kb.cert.org)


Foto Werner Fischer.jpg

Author: Werner Fischer

Werner Fischer, working in the Web Operations & Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.


Related articles

Nuvoton WPCM450R IPMI Chip with ATEN-Software
Security Recommendations for Remote Maintenance Features for IPMI Chips with ATEN-Software
Supermicro IPMI Configuration through BIOS or Web Interface