Potential security vulnerabilities in some Intel® OpenBMC firmware may allow escalation of privilege and information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities.
CVEID: CVE-2023-32280
Description: Insufficiently protected credentials in some Intel® Server Product OpenBMC firmware before versions egs-1.05 may allow an unauthenticated user to enable information disclosure via network access.
CVSS Base Score: 5.3 Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVEID: CVE-2023-31189
Description: Improper authentication in some Intel® Server Product OpenBMC firmware before version egs-1.09 may allow an authenticated user to enable escalation of privilege via local access.
CVSS Base Score: 5.2 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Sapphire Rapids Eagle Stream with 4th Generation Intel® Xeon® Scalable Processors before version PLR4 Release.
Intel recommends that users of OpenBMC update to the latest version provided by the system manufacturer that addresses these issues.
These issues were found internally by Intel employees.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.