CVE-2021-25128
📋 TL;DR
This CVE describes a path traversal vulnerability in the Baseboard Management Controller (BMC) firmware of specific HPE Cloudline servers. It allows local attackers to access arbitrary files on the system through the spx_restservice gethelpdata_func function. Affected organizations are those using HPE Cloudline CL5800 Gen9, CL5200 Gen9, CL4100 Gen10, CL3100 Gen10, or CL5800 Gen10 servers.
💻 Affected Systems
- HPE Cloudline CL5800 Gen9 Server
- HPE Cloudline CL5200 Gen9 Server
- HPE Cloudline CL4100 Gen10 Server
- HPE Cloudline CL3100 Gen10 Server
- HPE Cloudline CL5800 Gen10 Server
📦 What is this software?
Cloudline Cl3100 Gen10 Server Firmware by Hpe
View all CVEs affecting Cloudline Cl3100 Gen10 Server Firmware →
Cloudline Cl3100 Gen10 Server Firmware by Hpe
View all CVEs affecting Cloudline Cl3100 Gen10 Server Firmware →
Cloudline Cl4100 Gen10 Server Firmware by Hpe
View all CVEs affecting Cloudline Cl4100 Gen10 Server Firmware →
Cloudline Cl4100 Gen10 Server Firmware by Hpe
View all CVEs affecting Cloudline Cl4100 Gen10 Server Firmware →
Cloudline Cl5200 Gen9 Server Firmware by Hpe
View all CVEs affecting Cloudline Cl5200 Gen9 Server Firmware →
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could read sensitive system files, potentially obtaining credentials, configuration data, or other critical information that could lead to full server compromise.
Likely Case
Local users or attackers who gain initial access could read restricted files, potentially escalating privileges or gathering intelligence for further attacks.
If Mitigated
With proper network segmentation and access controls limiting BMC access to authorized administrators only, the impact is significantly reduced to authorized users only.
🎯 Exploit Status
Exploitation requires local access to the BMC interface. The vulnerability is in a specific function that can be triggered through the REST service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to HPE advisory for specific firmware versions
Vendor Advisory: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04073en_us
Restart Required: Yes
Instructions:
1. Download the updated BMC firmware from HPE support portal. 2. Follow HPE's firmware update procedures for the specific server model. 3. Apply the firmware update through the BMC web interface or HPE tools. 4. Reboot the server to complete the update.
🔧 Temporary Workarounds
Restrict BMC Network Access
allLimit network access to BMC interfaces to authorized management networks only
Configure firewall rules to restrict access to BMC IP addresses on ports 80/443/623
Implement Strong Authentication
allEnsure BMC interfaces use strong, unique credentials and consider multi-factor authentication
Change default BMC passwords
Implement account lockout policies
🧯 If You Can't Patch
- Isolate BMC management networks from production and user networks
- Implement strict access controls and monitoring for BMC interfaces
🔍 How to Verify
Check if Vulnerable:
Check BMC firmware version against HPE's advisory. Access BMC web interface and navigate to firmware information page.Check Version:
Use HPE iLO or BMC web interface to check firmware version, or use: ipmitool mc info (if configured)Verify Fix Applied:
Verify BMC firmware version has been updated to the patched version specified in HPE advisory.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to BMC REST endpoints
- Multiple failed authentication attempts followed by successful access to spx_restservice
Network Indicators:
- Unusual traffic to BMC IP addresses on port 80/443/623 from unauthorized sources
SIEM Query:
source="BMC_logs" AND (uri="*gethelpdata_func*" OR uri="*spx_restservice*")