FreeIPMI Buffer Overflow Vulnerability in ipmi-oem Component

A stack-based buffer overflow vulnerability has been identified in the FreeIPMI tool, specifically in version 1.6.16. The issue arises within the ipmi-oem component, which implements a set of IPMI OEM commands for specific hardware vendors. The vulnerability is triggered by malformed response messages to certain subcommands, leading to an out-of-bounds write. This flaw has been reproduced in the upstream FreeIPMI 1.6.16 version, as well as in the apt-installed system package build of freeipmi-tools 1.6.13-3.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to arbitrary code execution or a program crash.

Reproduction

The vulnerability can be reproduced by using the ipmi-oem command with the 'supermicro extra-firmware-info' subcommand on a Supermicro server. This can be done after building FreeIPMI 1.6.16 with AddressSanitizer (ASAN) enabled, which will reveal the buffer overflow error. Alternatively, the vulnerability can be reproduced using the apt-installed version of FreeIPMI tools, which will also trigger the buffer overflow detection mechanism.

Remediation

Users can upgrade to FreeIPMI version 1.6.17, which addresses this vulnerability.