CVE-2021-25124 – This CVE describes a local path traversal vulne... (How to Fix)

Q: What is the severity of CVE-2021-25124?

CVE-2021-25124 has a CVSS score of 7.8 (HIGH). This CVE describes a local path traversal vulnerability in the Baseboard Management Controller (BMC) firmware of specific HPE Cloudline servers. An attacker with local access to the BMC can exploit this to delete arbitrary files on the system, potentially leading to denial of service or system compromise. Affected systems include HPE Cloudline CL5800 Gen9, CL5200 Gen9, CL4100 Gen10, CL3100 Gen10, and CL5800 Gen10 servers.

📋 TL;DR

This CVE describes a local path traversal vulnerability in the Baseboard Management Controller (BMC) firmware of specific HPE Cloudline servers. An attacker with local access to the BMC can exploit this to delete arbitrary files on the system, potentially leading to denial of service or system compromise. Affected systems include HPE Cloudline CL5800 Gen9, CL5200 Gen9, CL4100 Gen10, CL3100 Gen10, and CL5800 Gen10 servers.

💻 Affected Systems

Products:

HPE Cloudline CL5800 Gen9 Server
HPE Cloudline CL5200 Gen9 Server
HPE Cloudline CL4100 Gen10 Server
HPE Cloudline CL3100 Gen10 Server
HPE Cloudline CL5800 Gen10 Server

Versions: Specific BMC firmware versions as detailed in HPE advisory

Operating Systems: BMC firmware (not host OS dependent)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the BMC firmware's spx_restservice deletevideo_func function. Requires local access to the BMC interface.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, rendering the server inoperable or allowing privilege escalation.

🟠

Likely Case

Denial of service by deleting important BMC or system files, disrupting server management capabilities.

🟢

If Mitigated

Limited impact if proper access controls restrict local BMC access to authorized administrators only.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring access to the BMC interface, which typically shouldn't be internet-facing.

🏢 Internal Only: HIGH - If attackers gain internal network access to BMC interfaces, they can exploit this vulnerability to disrupt server operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the BMC interface. The path traversal vulnerability in deletevideo_func allows file deletion operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to BMC firmware version specified in HPE advisory HPSBHF04073

Vendor Advisory: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04073en_us

Restart Required: Yes

Instructions:

1. Download the updated BMC firmware from HPE Support. 2. Access the BMC web interface. 3. Navigate to firmware update section. 4. Upload and apply the firmware update. 5. Reboot the BMC as required.

🔧 Temporary Workarounds

Restrict BMC Network Access

all

Limit network access to BMC interfaces to authorized management networks only using firewall rules.

Implement Strong BMC Authentication

all

Ensure BMC interfaces use strong, unique credentials and consider multi-factor authentication if supported.

🧯 If You Can't Patch

Isolate BMC management interfaces on separate VLANs with strict access controls
Implement network monitoring for unusual BMC access patterns or file deletion attempts

🔍 How to Verify

Check if Vulnerable:

Check BMC firmware version against affected versions listed in HPE advisory HPSBHF04073

Check Version:

Check via BMC web interface under System Information or use IPMI commands: ipmitool mc info

Verify Fix Applied:

Verify BMC firmware has been updated to version specified in HPE advisory and confirm version matches patched release

📡 Detection & Monitoring

Log Indicators:

Unusual file deletion events in BMC logs
Multiple failed authentication attempts to BMC interface
Unexpected BMC firmware modification attempts

Network Indicators:

Unusual traffic patterns to BMC IP addresses
Multiple connection attempts to BMC web/API interfaces from unauthorized sources

SIEM Query:

source="bmc_logs" AND (event_type="file_deletion" OR event_type="firmware_modification")

📊 Metadata

CVE ID: CVE-2021-25124

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: January 29, 2021

Last Updated: November 21, 2024

🔗 References

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04073en_us Vendor Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04073en_us Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25124, you might also want to check these: