CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
32.5%
The BMC is vulnerable during the time it is connected to the network and does not yet have its “admin” account password set.
CVEID:CVE-2024-35124
**DESCRIPTION:**During OpenBMC new installation, an attacker with network access gain administrative access even if the initial password is not set.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290674 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
OPENBMC | FW1050.00 - FW1050.10 |
OPENBMC | FW1030.00 - FW1030.50 |
OPENBMC | FW1020.00 - FW1020.60 |
Customers with the products below should install FW1020.70(1020_120), FW1030.51(1030_089), FW1050.12(1050_075), or newer to remediate this vulnerability.
Power 10
The images mentioned above can be located at IBM Fix Central: <https://www.ibm.com/support/fixcentral/>
Install and operate the eBMC system on a private network or public network that is behind a firewall.
Immediately after you plug the eBMC system into the network, login to the default admin account of the eBMC system and set the password. You can complete this task by using the eBMC web-based Advanced System Management Interface (ASMI) GUI.
To detect if this problem happened, look on the BMC for administrator accounts you do not recognize and look for any sessions you do not recognize. Please note for BMCs managed by Hardware Management Consoles (HMC), it is normal for the HMCs to have a BMC session using the “admin” account.
To mitigate this issue, remove any unwanted BMC administrator accounts (being careful to keep your “admin” account) and remove any BMC sessions you do not recognize. Please note that if your BMC is managed by Hardware Management Console (HMC), it is normal for HMCs to re-establish any lost BMC sessions.
You can use the BMC’s ASMi web application to perform these tasks:
- Menu item: Security and access > HMC and user sessions
- Menu item: Security and access > User management
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
32.5%