Libupnp Buffer Overflow in Motherboards with Nuvoton Chips with IPMI WPCM450R Software
In this article you will find information about the security issue and how to close this security loophole by updating the IPMI firmware.
Update - see also:
- Supermicro IPMI Security Updates November 2013 (November 2013)
General Safety Information
We recommend administrative access such as IPMI, or SSH services not to operate over the internet, but to allow VPN access to such services by authorized persons only through the use of a firewall. This recommendation applies regardless of the vulnerability issue described here.
This affects server motherboards that contain Nuvoton WPCM450R IPMI Chips with ATEN-Software.
That includes the following motherboards from Thomas Krenn:
- X9 Motherboards for Intel CPUs (with IPMI Firmware versions before v2.24): X9SCA-F, X9SCM-F, X9DBL-iF, X9DR7-LN4F, X9DRi-F
- X8 Motherboards for Intel CPUs (with IPMI Firmware versions before v2.58): X8SIL-F, X8DTL-3F
- X7 Motherboards for Intel CPUs (with IPMI Firmware versions before v2.58): X7SPA-HF, X7SPE-HF, X7SPE-HF-D525
- H8 Motherboards for AMD CPUs (with IPMI Firmware versions before v2.59): H8SCM-F, H8DG6-F
UPnP is an architecture for recognizing (Discovery), notifying and controlling devices in a network, regardless of operating system or programming language. UPnP is based on common Internet standards and specifications such as TCP/IP, HTTP und XML.
The portable SDK for UPnP-devices is affected by buffer overflows. These vulnerabilities can be used during the processing of incoming SSDP requests to UDP-Port 1900. The security vulnerabilities are documented in the following CVE IDs: CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964 und CVE-2012-5965.
An attacker with network access to the IPMI IP address can trigger an alteration by sending SSDP requests of a buffer overflow in the IPMI baseboard management controller (BMC). Upon successful exploitation of the vulnerability arbitrary commands of the Linux IPMI BMCs can be executed with root privileges.
This vulnerability can be rectified by an IPMI firmware update.
The following IPMI firmware versions can remove your componets from vulnerability:
- X9 Motherboards for Intel CPUs (X9SCA-F, X9SCM-F, X9DBL-iF, X9DR7-LN4F, X9DRi-F): IPMI Firmware v2.24 (SMT_X9_224.bin)
- X8 Motherboards for Intel CPUs (X8SIL-F, X8DTL-3F): IPMI Firmware v2.58 (X8_UPNP_Security_042613.bin)
- X7 Motherboards for Intel CPUs (X7SPA-HF, X7SPE-HF, X7SPE-HF-D525): IPMI Firmware v2.58 (UPNP_SX.bin)
- H8 Motherboards for AMD CPUs (H8SCM-F, H8DG6-F): IPMI Firmware v2.59 (SMT_259.bin)
Thomas Krenn strongly recommends that all affected customers to execute any such IPMI firmware updates and not to conduct administrative access such as IPMI, or SSH services on the Internet, but to only, via a firewall / VPN, allow access to such services by authorized persons.
For additional information about the firmware, please refer to this article IPMI Firmware Update for Supermicro Motherboards with ATEN IPMI Software.
- Vulnerability Note VU#922681 - Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP (www.kb.cert.org)
Author: Werner Fischer
Werner Fischer, working in the Web Operations & Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.