OpenBMC Solution To CVE issues

OpenBMC Solution To CVE issues

[Yonghui YH21 Liu]

[-- Attachment #1: Type: text/plain, Size: 412 bytes --]

HI All,
         I saw there are some solutions to public CVE issues, some solution are not enable by default setting.
         As we know, there are some new coming CVE issues. Could you help confirm whether below issues will be fixed? Is yes, when will be ready?

         CVE-2019-12900
CVE-2018-20843
CVE-2019-9169
CVE-2018-20750
CVE-2019-13404


Thank your great support in advance!

Thanks


[-- Attachment #2: Type: text/html, Size: 4090 bytes --]

Re: OpenBMC Solution To CVE issues

[Joseph Reynolds]

On 8/12/19 10:21 PM, Yonghui YH21 Liu wrote:
>
> HI All,
>
>          I saw there are some solutions to public CVE issues, some 
> solution are not enable by default setting.
>
I've provided by initial thoughts about how these CVEs affect OpenBMC.  
This is from the point of view of code running on OpenBMC 2.7.0 
systems.  My responses disregard vulnerabilities which may affect the 
build host.

Will BMC subject matter experts review the information below and provide 
answers?

- Joseph

>          As we know, there are some new coming CVE issues. Could you 
> help confirm whether below issues will be fixed? Is yes, when will be 
> ready?
>
>       CVE-2019-12900
>
The problem: BZ2 decompress - affects bzip2 through 1.0.6
Impact: we are impacted, we are at bzip2 1.0.6
How to exploit?  Do any OpenBMC interfaces use BZ2 compression? Image 
upload?  Web interfaces?  If so, we may be impacted.

> CVE-2018-20843
>
The problem: affects Expat XML before 2.2.7
Impact: Not applicable, OpenBMC does not use XML

> CVE-2019-9169
>
The problem: glibc/libc6 regexec proceed_next_node
Impact: we are impacted, we are on glibc 2.29
How to exploit?  Do any OpenBMC interfaces parse regular expressions?  
If so we may be impacted?  If not, this will be hared to exploit.

> CVE-2018-20750
>
The problem: libvncserver/rfbserver.c, affects LibVNC through 0.9.12
Impact: we may be impacted, we are on 0.9.12
Does our KVM use vncserver?

> CVE-2019-13404
>
The problem: Python installer, applies to Windows
Impact: not applicable, note that OpenBMC removed Python from the image

> Thank your great support in advance!
>
> Thanks
>

Re: OpenBMC Solution To CVE issues

[Patrick Venture]

On Tue, Aug 13, 2019 at 7:46 AM Joseph Reynolds <jrey@linux.ibm.com> wrote:
>
> On 8/12/19 10:21 PM, Yonghui YH21 Liu wrote:
> >
> > HI All,
> >
> >          I saw there are some solutions to public CVE issues, some
> > solution are not enable by default setting.
> >
> I've provided by initial thoughts about how these CVEs affect OpenBMC.
> This is from the point of view of code running on OpenBMC 2.7.0
> systems.  My responses disregard vulnerabilities which may affect the
> build host.
>
> Will BMC subject matter experts review the information below and provide
> answers?
>
> - Joseph
>
> >          As we know, there are some new coming CVE issues. Could you
> > help confirm whether below issues will be fixed? Is yes, when will be
> > ready?
> >
> >       CVE-2019-12900
> >
> The problem: BZ2 decompress - affects bzip2 through 1.0.6
> Impact: we are impacted, we are at bzip2 1.0.6
> How to exploit?  Do any OpenBMC interfaces use BZ2 compression? Image
> upload?  Web interfaces?  If so, we may be impacted.
>
> > CVE-2018-20843
> >
> The problem: affects Expat XML before 2.2.7
> Impact: Not applicable, OpenBMC does not use XML
>
> > CVE-2019-9169
> >
> The problem: glibc/libc6 regexec proceed_next_node
> Impact: we are impacted, we are on glibc 2.29
> How to exploit?  Do any OpenBMC interfaces parse regular expressions?
> If so we may be impacted?  If not, this will be hared to exploit.

We parse regular expressions, however they're pre-programmed, versus
allowing user-input.  This makes them difficult to exploit.  I don't
know if bmcweb offers that type of input from the user, but I can't
imagine -- but someone can follow-up.

>
> > CVE-2018-20750
> >
> The problem: libvncserver/rfbserver.c, affects LibVNC through 0.9.12
> Impact: we may be impacted, we are on 0.9.12
> Does our KVM use vncserver?
>
> > CVE-2019-13404
> >
> The problem: Python installer, applies to Windows
> Impact: not applicable, note that OpenBMC removed Python from the image
>
> > Thank your great support in advance!
> >
> > Thanks
> >
>

Re: OpenBMC Solution To CVE issues

[Ed Tanous]

On 8/13/19 7:46 AM, Joseph Reynolds wrote:
>>
> The problem: BZ2 decompress - affects bzip2 through 1.0.6
> Impact: we are impacted, we are at bzip2 1.0.6
> How to exploit?  Do any OpenBMC interfaces use BZ2 compression? Image
> upload?  Web interfaces?  If so, we may be impacted.
The web doesn't implement BZ2 compression, only GZIP.

> 
>> CVE-2018-20843
>>
> The problem: affects Expat XML before 2.2.7
> Impact: Not applicable, OpenBMC does not use XML
Do we even use libexpat anywhere?  We use XML in several places, but I
can't think of anywhere we use Expat.

> 
>> CVE-2019-9169
>>
> The problem: glibc/libc6 regexec proceed_next_node
> Impact: we are impacted, we are on glibc 2.29
> How to exploit?  Do any OpenBMC interfaces parse regular expressions? 
> If so we may be impacted?  If not, this will be hared to exploit.
I just audited all uses of std::regex in bmcweb.  They are all using
compile-time strings for generating their expression.  Also, all uses
are post-authentication (on purpose) so even if there was an exploit, it
would be a relatively low CVE score, as it would require valid
credentials to exploit.

> 
>> CVE-2018-20750
>>
> The problem: libvncserver/rfbserver.c, affects LibVNC through 0.9.12
> Impact: we may be impacted, we are on 0.9.12
> Does our KVM use vncserver?
Yes.  We will just need to upgrade the package version when the new
release is available.

> 
>> CVE-2019-13404
>>
> The problem: Python installer, applies to Windows
> Impact: not applicable, note that OpenBMC removed Python from the image
> 
>> Thank your great support in advance!
>>
>> Thanks
>>
> 

OpenBMC Solution To CVE Issues

[Yonghui YH21 Liu]

[-- Attachment #1: Type: text/plain, Size: 414 bytes --]

HI All,
         I saw there are some solutions to public CVE issues, some solution are not enable by default setting.
         As we know, there are some new coming CVE issues. Could you help confirm whether below issues will be fixed? Is yes, when will be ready?

         CVE-2019-12900
CVE-2018-20843
CVE-2019-9169
CVE-2018-20750
CVE-2019-13404


Thank your great support in advance!

Thanks



[-- Attachment #2: Type: text/html, Size: 4198 bytes --]