Intel® Enterprise Southbridge 2 Baseboard Management Controller Denial of Service

Summary:

A denial of service vulnerability exists in the Intel® Enterprise Southbridge 2 Baseboard Management Controller which may allow malicious users to connect to a server system within a local area network and issue any Intelligent Platform Management Interface command. If proper external network access procedures are followed the vulnerability is limited to internal access within a local network.

Description:

A denial of service vulnerability exists in the Intel® Enterprise Southbridge 2 Baseboard Management Controller which could be locally exploited by malicious users. The Baseboard Management Controller contains firmware which provides server management access to a server across a local area network. The Baseboard Management Controller firmware follows the Intelligent Platform Management Interface specification for network access. This specification has released several revisions: revision 1.5 and more recently revision 2.0. The vulnerability is exposed only when software utilities use Intelligent Platform Management Interface revision 1.5 for network access. The Intelligent Platform Management Interface must be enabled by IT professionals who configure the interface before network access is available.

This vulnerability is limited to certain Intel® Server products and OEM customers of Intel® Enterprise Southbridge 2 firmware. The vulnerability does not expose the server operating system or data files.

A variety of open source management software utilities are available for download from various locations on the internet. Some allow Intelligent Platform Management Interface revision 1.5 access. These tools expose a firmware flaw which allows insecure access to the Baseboard Management Controller for Intelligent Platform Management Interface commands.

Affected products: