Details of VAR-202408-2252

ID

VAR-202408-2252

CVE

CVE-2024-35124

TITLE

IBM of IBM OpenBMC Vulnerability regarding lack of authentication for critical features in

Trust: 0.8

sources: JVNDB: JVNDB-2024-006325

DESCRIPTION

A vulnerability in the combination of the OpenBMC's FW1050.00 through FW1050.10, FW1030.00 through FW1030.50, and FW1020.00 through FW1020.60 default password and session management allow an attacker to gain administrative access to the BMC. IBM X-Force ID: 290674. IBM of IBM OpenBMC There is a vulnerability in the lack of authentication for critical features.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. IBM OpenBMC is a Linux distribution of IBM, used to manage controllers of devices such as servers, top-of-rack switches, or RAID devices

Trust: 2.16

sources: NVD: CVE-2024-35124 // JVNDB: JVNDB-2024-006325 // CNVD: CNVD-2024-43195

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-43195

AFFECTED PRODUCTS

vendor:	ibm	model:	openbmc	scope:	gte	version:	fw1030.00	Trust: 1.0
vendor:	ibm	model:	openbmc	scope:	gte	version:	fw1020.00	Trust: 1.0
vendor:	ibm	model:	openbmc	scope:	lte	version:	fw1020.60	Trust: 1.0
vendor:	ibm	model:	openbmc	scope:	gte	version:	fw1050.00	Trust: 1.0
vendor:	ibm	model:	openbmc	scope:	lte	version:	fw1050.10	Trust: 1.0
vendor:	ibm	model:	openbmc	scope:	lte	version:	fw1030.50	Trust: 1.0
vendor:	日立	model:	ep8000 s1014	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ep8000 s1024	scope:	-	version:	-	Trust: 0.8
vendor:	ibm	model:	openbmc	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ep8000 e1050	scope:	-	version:	-	Trust: 0.8
vendor:	ibm	model:	openbmc >=fw1050.00,<=fw1050.10	scope:	-	version:	-	Trust: 0.6
vendor:	ibm	model:	openbmc >=fw1030.00,<=fw1030.50	scope:	-	version:	-	Trust: 0.6
vendor:	ibm	model:	openbmc >=fw1020.00,<=fw1020.60	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2024-43195 // JVNDB: JVNDB-2024-006325 // NVD: CVE-2024-35124

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2024-35124
value:	HIGH
Trust: 1.0
psirt@us.ibm.com:	CVE-2024-35124
value:	HIGH
Trust: 1.0
NVD:	CVE-2024-35124
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2024-43195
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-43195
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2024-35124
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2024-35124
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-43195 // JVNDB: JVNDB-2024-006325 // NVD: CVE-2024-35124 // NVD: CVE-2024-35124

PROBLEMTYPE DATA

problemtype:	CWE-288	Trust: 1.0
problemtype:	CWE-306	Trust: 1.0
problemtype:	Lack of authentication for critical features (CWE-306) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-006325 // NVD: CVE-2024-35124

PATCH

title:	hitachi-sec-2024-216	url:	https://www.ibm.com/support/pages/node/7163195	Trust: 0.8
title:	Patch for IBM OpenBMC Privilege Escalation Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/607986	Trust: 0.6

sources: CNVD: CNVD-2024-43195 // JVNDB: JVNDB-2024-006325

EXTERNAL IDS

db:	NVD	id:	CVE-2024-35124	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-006325	Trust: 0.8
db:	CNVD	id:	CNVD-2024-43195	Trust: 0.6

sources: CNVD: CNVD-2024-43195 // JVNDB: JVNDB-2024-006325 // NVD: CVE-2024-35124

REFERENCES

url:	https://https://exchange.xforce.ibmcloud.com/vulnerabilities/290674	Trust: 1.0
url:	https://www.ibm.com/support/pages/node/7163195	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-35124	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2024-35124/	Trust: 0.6

sources: CNVD: CNVD-2024-43195 // JVNDB: JVNDB-2024-006325 // NVD: CVE-2024-35124

SOURCES

db:	CNVD	id:	CNVD-2024-43195
db:	JVNDB	id:	JVNDB-2024-006325
db:	NVD	id:	CVE-2024-35124

LAST UPDATE DATE

2024-11-07T22:31:54.048000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-43195	date:	2024-11-06T00:00:00
db:	JVNDB	id:	JVNDB-2024-006325	date:	2024-10-25T06:48:00
db:	NVD	id:	CVE-2024-35124	date:	2024-08-22T13:31:16.353

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-43195	date:	2024-11-06T00:00:00
db:	JVNDB	id:	JVNDB-2024-006325	date:	2024-08-23T00:00:00
db:	NVD	id:	CVE-2024-35124	date:	2024-08-13T12:15:06.163