From 827a42e146a5c8ea3d2be8646dc87c17e273a61a Mon Sep 17 00:00:00 2001 From: Lindacornwall <55097368+Lindacornwall@users.noreply.github.com> Date: Fri, 28 Jul 2023 12:38:58 +0100 Subject: [PATCH] Create Advisory-SVG-CVE-2023-34329.md --- 2023/Advisory-SVG-CVE-2023-34329.md | 145 ++++++++++++++++++++++++++++ 1 file changed, 145 insertions(+) create mode 100644 2023/Advisory-SVG-CVE-2023-34329.md diff --git a/2023/Advisory-SVG-CVE-2023-34329.md b/2023/Advisory-SVG-CVE-2023-34329.md new file mode 100644 index 0000000..66604ac --- /dev/null +++ b/2023/Advisory-SVG-CVE-2023-34329.md @@ -0,0 +1,145 @@ +--- +title: Advisory-SVG-CVE-2023-34329 +permalink: /Advisory-SVG-CVE-2023-34329 +redirect_from: + - /Advisory-SVG-CVE-2023-34330 +published: false +--- + +## Advisory-SVG-CVE-2023-34329 + +``` +Title: EGI SVG 'ALERT' [TLP:CLEAR] Two BMC vulnerabilities (CVE-2023-34329) + +Date: 2023-07-27 +Updated: + +Affected software and risk +========================== + +The two security flaws enable attackers to bypass authentication or inject +malicious code via Redfish remote management interfaces exposed to remote +access: + +CVE-2023-34329 - Authentication Bypass via HTTP Header Spoofing +CVE-2023-34330 - Code injection via Dynamic Redfish Extension interface + +See [R 1] [R 2] [R 3] + +The EGI SVG is aware that sites may use the remote management interface to + manage their deployments. Both these vulnerabilities require adjacent or +local network as well as high privileges in order to be exploited. If sites +carry out best practice in their deployment and ensure this service is only +accessible to those who manage the site, it should not be possible to exploit +these vulnerabilities. + +Actions required/recommended +============================ + +Sites running vulnerable servers should urgently apply vendor updates. + +Administrators should make sure that all remote server management interfaces +such as Redfish and the BMC subsystems in their environments are not exposed +externally. BMC interface access should be restricted to administrative users +with Access Control Lists (ACL) in place. +Disable default built-in administrative accounts that might be provided by the +vendors, check if your vendor already provided a firmware upgrade that mitigates +these vulnerabilities. A unique, well-protected admin account configuration for +your management systems is usually a good practice. + +One case where sites may be vulnerable, is if Cloud users who have root access +inside their VMs have unrestricted access to local networks and might thus be +able to contact BMC endpoints. + +If anyone becomes aware of any situation where this vulnerability has a +significant impact on the EGI infrastructure then please inform EGI SVG. + +Component installation information +================================== + +Sites should see information from their vendor. + + +TLP and URL +=========== + +** CLEAR information - Unlimited distribution - see +https://confluence.egi.eu/display/EGIG/Traffic+Light+Protocol for +distribution restrictions** + +URL: https://advisories.egi.eu/Advisory-SVG-CVE-2023-34329 + +Minor updates may be made without re-distribution to the sites. + + +Comments +======== + +Comments or questions should be sent to svg-rat at mailman.egi.eu + +If you find or become aware of another vulnerability which is relevant to EGI +you may report it by e-mail to + +report-vulnerability at egi.eu + +the EGI Software Vulnerability Group will take a look according to the +procedure defined in [R 5] + +Note that this is undergoing revision to fully handle vulnerabilities in the +EOSC era. + + +References +========== + +[R 1] https://www.bleepingcomputer.com/news/security/critical-ami-megarac-bugs-can-let-hackers-brick-vulnerable-servers/ +[R 2] https://nvd.nist.gov/vuln/detail/CVE-2023-34329 +[R 3] https://nvd.nist.gov/vuln/detail/CVE-2023-34330 + +[R 5] https://documents.egi.eu/public/ShowDocument?docid=3867 + + +Credit +====== + +SVG was alerted to this vulnerability by Barbara Krasovec who is a member of +the EGI SVG + +Timeline +======== + +Yyyy-mm-dd [EGI-SVG-CVE-2023-34329] + +2023-07-07 SVG alerted to this issue by Barbara Krasovec +2023-07--- Investigation of vulnerability and relevance to EGI carried out +2023-07-26 EGI SVG decided to send alert to sites, as a small number may be vulnerable. +2023-07-27 Alert sent to sites + + +Context +======= + +This advisory has been prepared as part of the effort to fulfil EGI SVG's +purpose "To minimize the risk to the EGI infrastructure arising from software +vulnerabilities" + +The risk is that assessed by the group, according to the EGI SVG issue handling +procedure [R 5] in the context of how the software is used in the EGI +infrastructure. It is the opinion of the group, we do not guarantee it to be +correct. The risk may also be higher or lower in other deployments depending on +how the software is used. + +----------------------------- +Others may re-use this information provided they:- + +1) Respect the provided TLP classification + +2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group +------------------------------ + +Note that the SVG issue handling procedure is currently under review, to take +account of the increasing inhomogeneity of the EGI infrastructure and the +services in the EOSC catalogue. + +On behalf of the EGI SVG, +```