CVE-2021-26575 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-26575?

CVE-2021-26575 has a CVSS score of 7.8 (HIGH). This CVE describes a path traversal vulnerability in HPE Apollo 70 System BMC firmware that allows attackers to delete arbitrary files on the system. Attackers with network access to the BMC can exploit this to potentially delete critical system files, leading to denial of service or system compromise. Only HPE Apollo 70 systems with BMC firmware prior to version 3.0.14.0 are affected.

📋 TL;DR

This CVE describes a path traversal vulnerability in HPE Apollo 70 System BMC firmware that allows attackers to delete arbitrary files on the system. Attackers with network access to the BMC can exploit this to potentially delete critical system files, leading to denial of service or system compromise. Only HPE Apollo 70 systems with BMC firmware prior to version 3.0.14.0 are affected.

💻 Affected Systems

Products:

HPE Apollo 70 System

Versions: All versions prior to 3.0.14.0

Operating Systems: BMC firmware (not host OS dependent)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Baseboard Management Controller firmware, not the host operating system. Vulnerability exists in libifc.so webdeletesolvideofile function.

📦 What is this software?

Baseboard Management Controller by Hpe

View all CVEs affecting Baseboard Management Controller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, rendering the server inoperable and potentially allowing privilege escalation to the host operating system.

🟠

Likely Case

Denial of service by deleting critical BMC or system files, causing server management functions to fail and potentially requiring physical intervention.

🟢

If Mitigated

Limited impact if BMC is isolated on management network with strict access controls, though file deletion could still disrupt management functions.

🌐 Internet-Facing: HIGH if BMC is exposed to internet, as vulnerability allows unauthenticated file deletion attacks from remote attackers.

🏢 Internal Only: MEDIUM if BMC is on internal management network, as attackers with internal access could still exploit to cause significant disruption.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Path traversal vulnerabilities typically have low exploitation complexity. The advisory suggests network access to BMC is sufficient for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.14.0 or later

Vendor Advisory: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04080en_us

Restart Required: Yes

Instructions:

1. Download firmware version 3.0.14.0 or later from HPE Support. 2. Access BMC web interface or use remote management tools. 3. Navigate to firmware update section. 4. Upload and apply the new firmware. 5. Reboot the BMC to complete installation.

🔧 Temporary Workarounds

Network Isolation

all

Isolate BMC management interface to dedicated management network with strict firewall rules

Access Control

all

Implement strict network access controls to BMC interface, allowing only authorized management stations

🧯 If You Can't Patch

Isolate BMC interface on dedicated VLAN with strict firewall rules allowing only trusted management IPs
Disable unnecessary BMC services and interfaces, monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check BMC firmware version via web interface (System Information) or SSH to BMC using 'show version' command

Check Version:

ssh admin@bmc-ip 'show version' or check web interface at https://bmc-ip/#/system/information

Verify Fix Applied:

Confirm firmware version is 3.0.14.0 or later in BMC web interface or via SSH

📡 Detection & Monitoring

Log Indicators:

Unusual file deletion events in BMC logs
Multiple failed authentication attempts to BMC
Unexpected connections to BMC web interface

Network Indicators:

Unusual traffic patterns to BMC port 443/80
Requests containing path traversal patterns (../) to BMC

SIEM Query:

source="bmc_logs" AND (event="file_deletion" OR message="*../*") OR dest_port=443 AND dest_ip="bmc_network" AND http_uri="*../*"

📊 Metadata

CVE ID: CVE-2021-26575

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: February 8, 2021

Last Updated: November 21, 2024

🔗 References

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04080en_us Patch,Vendor Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04080en_us Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26575, you might also want to check these: