CVE-2021-39295 – CVE-2021-39295 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-39295?

CVE-2021-39295 has a CVSS score of 7.5 (HIGH). CVE-2021-39295 is a denial-of-service vulnerability in OpenBMC 2.9 where specially crafted IPMI messages sent to the netipmid interface can crash the BMC (Baseboard Management Controller). This affects systems running OpenBMC 2.9 with IPMI lan+ interface enabled, potentially disrupting remote management capabilities.

📋 TL;DR

CVE-2021-39295 is a denial-of-service vulnerability in OpenBMC 2.9 where specially crafted IPMI messages sent to the netipmid interface can crash the BMC (Baseboard Management Controller). This affects systems running OpenBMC 2.9 with IPMI lan+ interface enabled, potentially disrupting remote management capabilities.

💻 Affected Systems

Products:

OpenBMC

Versions: OpenBMC 2.9

Operating Systems: Linux-based BMC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with IPMI lan+ interface enabled. Systems using other IPMI interfaces or disabled IPMI may not be vulnerable.

📦 What is this software?

Openbmc by Openbmc Project

View all CVEs affecting Openbmc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete BMC unavailability requiring physical access to reset or replace hardware, disrupting all remote management functions including power control, monitoring, and firmware updates.

🟠

Likely Case

Temporary BMC service disruption requiring manual restart, causing loss of remote monitoring and management until service is restored.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only affecting isolated management networks.

🌐 Internet-Facing: MEDIUM - While BMC interfaces shouldn't be internet-facing, misconfigurations could expose them. Exploitation requires network access to IPMI port.

🏢 Internal Only: HIGH - BMC interfaces are typically on internal management networks where attackers with network access could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The advisory includes technical details and proof-of-concept information. Exploitation requires sending crafted IPMI packets to the vulnerable interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenBMC versions after 2.9

Vendor Advisory: https://github.com/google/security-research/security/advisories/GHSA-gg9x-v835-m48q

Restart Required: Yes

Instructions:

1. Update OpenBMC to a version after 2.9. 2. Apply available security patches from your hardware vendor. 3. Restart the BMC service or reboot the system.

🔧 Temporary Workarounds

Disable IPMI lan+ interface

linux

Temporarily disable the vulnerable IPMI lan+ interface if not required

systemctl stop netipmid
systemctl disable netipmid

Network segmentation

linux

Restrict access to BMC IPMI port (default 623) using firewall rules

iptables -A INPUT -p tcp --dport 623 -j DROP
iptables -A INPUT -p udp --dport 623 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit connections to BMC IPMI port (623) only from trusted management systems
Monitor BMC logs for unusual IPMI traffic patterns and implement rate limiting on IPMI connections

🔍 How to Verify

Check if Vulnerable:

Check OpenBMC version: cat /etc/os-release | grep VERSION_ID. If version is 2.9 and netipmid service is running, system is vulnerable.

Check Version:

cat /etc/os-release | grep VERSION_ID

Verify Fix Applied:

Verify OpenBMC version is greater than 2.9 and test IPMI functionality remains operational after patch.

📡 Detection & Monitoring

Log Indicators:

BMC service crashes in system logs
netipmid process termination logs
Unusual IPMI message patterns in BMC logs

Network Indicators:

Multiple malformed IPMI packets to port 623
IPMI traffic from unexpected sources

SIEM Query:

source="bmc_logs" AND ("netipmid crashed" OR "segmentation fault" AND "ipmi")

📊 Metadata

CVE ID: CVE-2021-39295

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: April 15, 2023

Last Updated: February 6, 2025

🔗 References

https://github.com/google/security-research/security/advisories/GHSA-gg9x-v835-m48q Exploit,Third Party Advisory
https://github.com/openbmc/docs/blob/master/release/release-notes.md Release Notes
https://github.com/openbmc/openbmc Product
https://github.com/openbmc/openbmc/issues/3811 Not Applicable
https://openbmc.org Product
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00737.html Third Party Advisory
https://github.com/google/security-research/security/advisories/GHSA-gg9x-v835-m48q Exploit,Third Party Advisory
https://github.com/openbmc/docs/blob/master/release/release-notes.md Release Notes
https://github.com/openbmc/openbmc Product
https://github.com/openbmc/openbmc/issues/3811 Not Applicable
https://openbmc.org Product
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00737.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39295, you might also want to check these: