CVE-2020-14156: OpenBMC Security Advisory: Network IPMI file permissions world-readable

Network IPMI before 2020-04-03 does not ensure the /etc/ipmi_pass file has strong file permissions. The /etc/ipmi_pass file was created with world-readable permission. Any user with SSH or SCP access to the BMC can read and decode the credentials and escalate to any IPMI user.[…]

https://github.com/openbmc/openbmc/issues/3670

https://lists.ozlabs.org/pipermail/openbmc/2020-June/022020.html

(AFAICT, there is no security page that shows the various CVEs for OpenBMC. Maybe I missed it.)

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s