CVE-2021-25171 – This vulnerability allows local attackers to ex... (How to Fix)

Q: What is the severity of CVE-2021-25171?

CVE-2021-25171 has a CVSS score of 7.8 (HIGH). This vulnerability allows local attackers to execute arbitrary code on HPE Apollo 70 System Baseboard Management Controllers through a buffer overflow in the websetlicensecfg function. Attackers with local access to the BMC can exploit this to gain elevated privileges or compromise the BMC firmware. Only HPE Apollo 70 Systems with vulnerable BMC firmware versions are affected.

📋 TL;DR

This vulnerability allows local attackers to execute arbitrary code on HPE Apollo 70 System Baseboard Management Controllers through a buffer overflow in the websetlicensecfg function. Attackers with local access to the BMC can exploit this to gain elevated privileges or compromise the BMC firmware. Only HPE Apollo 70 Systems with vulnerable BMC firmware versions are affected.

💻 Affected Systems

Products:

HPE Apollo 70 System

Versions: BMC firmware versions prior to 3.0.14.0

Operating Systems: BMC firmware (not host OS dependent)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Baseboard Management Controller firmware, not the host operating system. Vulnerability exists in libifc.so library used by BMC web interface.

📦 What is this software?

Baseboard Management Controller by Hpe

View all CVEs affecting Baseboard Management Controller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the BMC allowing persistent access, firmware modification, credential theft, and potential lateral movement to connected systems.

🟠

Likely Case

Local privilege escalation leading to BMC administrative access, allowing monitoring/control of server hardware and potential denial of service.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized local access to BMC interfaces.

🌐 Internet-Facing: LOW - BMC interfaces should never be directly internet-facing. Exploitation requires local access to BMC management interfaces.

🏢 Internal Only: HIGH - If attackers gain internal network access to BMC management interfaces, exploitation is straightforward and impactful.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to BMC management interface. Buffer overflow in websetlicensecfg function can be triggered through crafted requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BMC firmware version 3.0.14.0 or later

Vendor Advisory: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04080en_us

Restart Required: Yes

Instructions:

1. Download BMC firmware version 3.0.14.0 or later from HPE Support. 2. Access BMC web interface or use HPE iLO/SSH. 3. Upload and apply firmware update through maintenance interface. 4. Reboot BMC to complete installation.

🔧 Temporary Workarounds

Restrict BMC Network Access

all

Limit access to BMC management interfaces to authorized administrative networks only

Configure firewall rules to restrict access to BMC IP on ports 80/443/22/623

Disable Unused BMC Services

all

Disable web interface if not required, use serial or dedicated management network

Use HPE iLO configuration to disable web services if not needed

🧯 If You Can't Patch

Implement strict network segmentation to isolate BMC management interfaces from general network traffic
Enforce strong authentication and limit administrative access to BMC interfaces to essential personnel only

🔍 How to Verify

Check if Vulnerable:

Check BMC firmware version through web interface at https://[BMC_IP]/html/index.html or SSH to BMC and check version

Check Version:

ssh [BMC_IP] 'show /system1/fwversion1' or check web interface System Information page

Verify Fix Applied:

Confirm BMC firmware version is 3.0.14.0 or later through web interface or SSH

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts to BMC web interface
Unusual process creation or privilege escalation events in BMC logs
Web server crashes or restarts in BMC system logs

Network Indicators:

Unusual traffic patterns to BMC web interface on port 80/443
Multiple POST requests to license configuration endpoints
Traffic from unexpected source IPs to BMC management interface

SIEM Query:

source="BMC_logs" AND (event_type="authentication_failure" OR event_type="web_server_crash")

📊 Metadata

CVE ID: CVE-2021-25171

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: February 8, 2021

Last Updated: November 21, 2024

🔗 References

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04080en_us Vendor Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04080en_us Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25171, you might also want to check these: