Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 708436 (CVE-2020-5208) - sys-apps/ipmitool: buffer overflows and potentially remote code execution (CVE-2020-5208)
Summary: sys-apps/ipmitool: buffer overflows and potentially remote code execution (CV...
Status: UNCONFIRMED
Alias: CVE-2020-5208
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/ipmitool/ipmitool/...
Whiteboard: B1 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-06 00:21 UTC by filip ambroz
Modified: 2020-03-26 15:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-06 00:21:19 UTC
from URL:

*Impact

It's been found that multiple functions in ipmitool 1.8.18 neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on the ipmitool side. This is especially dangerous if ipmitool is run as a privileged user.

All users of ipmitool are potentially affected.

*Patches

Version 1.8.19 will have this problem fixed.

*Workarounds

There are no workarounds to completely remediate the vulnerability, but possibility of it being exploited can be significantly lowered by:

- Not running ipmitool as a privileged user
- Not running ipmitool over demilitarized network or against untrusted IPMI-enabled devices
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-02-06 18:12:22 UTC
It's not just a single patch, it's a whole series of them and they depend on other commits post 1.8.18.

I'm not sure of upstream's release schedule for 1.8.19 yet, punting to wait for upstream.