Lucene search

K
ibmIBM98E2BB0B333F4219B74533A2C18899513802C6C1AABB19041273EF60E98CBD11
HistoryDec 07, 2021 - 2:14 p.m.

Security Bulletin: A mitigation is being announced to address CVE-2021-29789

2021-12-0714:14:40
www.ibm.com
11

Summary

IBM products 8335-GTC, 8335-GTG, 8335-GTH, 8335-GTW, and 8335-GTX have identified a security vulnerability. BMC field mode is normally enabled but may not be enabled on systems which have had their BMC replaced.

Vulnerability Details

CVEID: CVE-2021-29789
Description: IBM BMCs could have been shipped with an incorrect configuration setting which could lead to a denial of service or unintended firmware to be installed on the device.
CVSS Base Score: 6.4
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/203321 for more information
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
8335-GTC, 8335-GTG, and 8335-GTW OP910
8335-GTH and 8335-GTX OP920
8335-GTH and 8335-GTX OP930
8335-GTH and 8335-GTX OP940

Remediation/Fixes

Refer to the steps in the Workaround and Mitigations section

Workarounds and Mitigations

Check if BMC field mode is disabled and enable BMC field mode by following all the steps below. The steps shown are for a Linux command shell which has access to the BMC. Step 1 requires changes to work on your BMC: replace <bmc ip address> with your BMC’s IP address, and replace <> with your password.

1. Login to your BMC’s REST server:

export bmcip=&lt;bmc ip address&gt;
export token=`curl -k -H "Content-Type: application/json" -X POST https://${bmcip}/login -d '{"username": "root", "password": "&lt;&gt;"}' | grep token | awk '{print $2;}' | tr -d '"'`

2. Check if BMC field mode is enabled:

curl -k -H “X-Auth-Token: $token” -X GET <https://${bmcip}/xyz/openbmc_project/software/attr/FieldModeEnabled>

A response which contains: “data”: true means field mode is enabled, and false means field mode is disabled.

3. If field mode is disabled, invoke the REST API to enable BMC field mode:

curl -k -H “X-Auth-Token: $token” -H ‘Content-Type: application/json’ -X PUT -d ‘{“data”:1}’ https://${bmcip}/xyz/openbmc_project/software/attr/FieldModeEnabled

4. Logout of the BMC’s REST server:

curl -k -H “X-Auth-Token: $token” -X POST https://${bmcip}/logout

Related for 98E2BB0B333F4219B74533A2C18899513802C6C1AABB19041273EF60E98CBD11