-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create Advisory-SVG-CVE-2023-34329.md
- Loading branch information
1 parent
b748ecb
commit 827a42e
Showing
1 changed file
with
145 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,145 @@ | ||
| --- | ||
| title: Advisory-SVG-CVE-2023-34329 | ||
| permalink: /Advisory-SVG-CVE-2023-34329 | ||
| redirect_from: | ||
| - /Advisory-SVG-CVE-2023-34330 | ||
| published: false | ||
| --- | ||
|
|
||
| ## Advisory-SVG-CVE-2023-34329 | ||
|
|
||
| ``` | ||
| Title: EGI SVG 'ALERT' [TLP:CLEAR] Two BMC vulnerabilities (CVE-2023-34329) | ||
| Date: 2023-07-27 | ||
| Updated: | ||
| Affected software and risk | ||
| ========================== | ||
| The two security flaws enable attackers to bypass authentication or inject | ||
| malicious code via Redfish remote management interfaces exposed to remote | ||
| access: | ||
| CVE-2023-34329 - Authentication Bypass via HTTP Header Spoofing | ||
| CVE-2023-34330 - Code injection via Dynamic Redfish Extension interface | ||
| See [R 1] [R 2] [R 3] | ||
| The EGI SVG is aware that sites may use the remote management interface to | ||
| manage their deployments. Both these vulnerabilities require adjacent or | ||
| local network as well as high privileges in order to be exploited. If sites | ||
| carry out best practice in their deployment and ensure this service is only | ||
| accessible to those who manage the site, it should not be possible to exploit | ||
| these vulnerabilities. | ||
| Actions required/recommended | ||
| ============================ | ||
| Sites running vulnerable servers should urgently apply vendor updates. | ||
| Administrators should make sure that all remote server management interfaces | ||
| such as Redfish and the BMC subsystems in their environments are not exposed | ||
| externally. BMC interface access should be restricted to administrative users | ||
| with Access Control Lists (ACL) in place. | ||
| Disable default built-in administrative accounts that might be provided by the | ||
| vendors, check if your vendor already provided a firmware upgrade that mitigates | ||
| these vulnerabilities. A unique, well-protected admin account configuration for | ||
| your management systems is usually a good practice. | ||
| One case where sites may be vulnerable, is if Cloud users who have root access | ||
| inside their VMs have unrestricted access to local networks and might thus be | ||
| able to contact BMC endpoints. | ||
| If anyone becomes aware of any situation where this vulnerability has a | ||
| significant impact on the EGI infrastructure then please inform EGI SVG. | ||
| Component installation information | ||
| ================================== | ||
| Sites should see information from their vendor. | ||
| TLP and URL | ||
| =========== | ||
| ** CLEAR information - Unlimited distribution - see | ||
| https://confluence.egi.eu/display/EGIG/Traffic+Light+Protocol for | ||
| distribution restrictions** | ||
| URL: https://advisories.egi.eu/Advisory-SVG-CVE-2023-34329 | ||
| Minor updates may be made without re-distribution to the sites. | ||
| Comments | ||
| ======== | ||
| Comments or questions should be sent to svg-rat at mailman.egi.eu | ||
| If you find or become aware of another vulnerability which is relevant to EGI | ||
| you may report it by e-mail to | ||
| report-vulnerability at egi.eu | ||
| the EGI Software Vulnerability Group will take a look according to the | ||
| procedure defined in [R 5] | ||
| Note that this is undergoing revision to fully handle vulnerabilities in the | ||
| EOSC era. | ||
| References | ||
| ========== | ||
| [R 1] https://www.bleepingcomputer.com/news/security/critical-ami-megarac-bugs-can-let-hackers-brick-vulnerable-servers/ | ||
| [R 2] https://nvd.nist.gov/vuln/detail/CVE-2023-34329 | ||
| [R 3] https://nvd.nist.gov/vuln/detail/CVE-2023-34330 | ||
| [R 5] https://documents.egi.eu/public/ShowDocument?docid=3867 | ||
| Credit | ||
| ====== | ||
| SVG was alerted to this vulnerability by Barbara Krasovec who is a member of | ||
| the EGI SVG | ||
| Timeline | ||
| ======== | ||
| Yyyy-mm-dd [EGI-SVG-CVE-2023-34329] | ||
| 2023-07-07 SVG alerted to this issue by Barbara Krasovec | ||
| 2023-07--- Investigation of vulnerability and relevance to EGI carried out | ||
| 2023-07-26 EGI SVG decided to send alert to sites, as a small number may be vulnerable. | ||
| 2023-07-27 Alert sent to sites | ||
| Context | ||
| ======= | ||
| This advisory has been prepared as part of the effort to fulfil EGI SVG's | ||
| purpose "To minimize the risk to the EGI infrastructure arising from software | ||
| vulnerabilities" | ||
| The risk is that assessed by the group, according to the EGI SVG issue handling | ||
| procedure [R 5] in the context of how the software is used in the EGI | ||
| infrastructure. It is the opinion of the group, we do not guarantee it to be | ||
| correct. The risk may also be higher or lower in other deployments depending on | ||
| how the software is used. | ||
| ----------------------------- | ||
| Others may re-use this information provided they:- | ||
| 1) Respect the provided TLP classification | ||
| 2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group | ||
| ------------------------------ | ||
| Note that the SVG issue handling procedure is currently under review, to take | ||
| account of the increasing inhomogeneity of the EGI infrastructure and the | ||
| services in the EOSC catalogue. | ||
| On behalf of the EGI SVG, | ||
| ``` |