View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000353||AlmaLinux-9||fwupd||public||2023-01-05 11:29||2023-01-05 11:30|
|Priority||high||Severity||major||Reproducibility||have not tried|
|Summary||0000353: fwupd outdated, may cause BMC inaccessibilty and security issue|
|Description||There is/was a known problem with older fwupd versions on Supermicro creating an IPMI user (https://github.com/fwupd/fwupd/issues/5129, https://github.com/fwupd/fwupd/pull/5058). In addition, the generated password is not protected (https://www.suse.com/security/cve/CVE-2022-3287.html).|
AlmaLinux 9.1 ships with the old version 1.7.9 of fwupd. On one of my machines, both issues struck.
(1) I suddenly couldn't access the BMC any more because fwupd changed the ADMIN password. As my physical access to the machine is very restricted, this could have been a major problem as I was just configuring the network and had only "shaky" access to the machine (and thus IPMI from the root account).
(2) The generated credentials for fwupd were created in a file with 666 access
|Steps To Reproduce||I'm currently experimenting with three identical machines. Only one machine was affected. I don't know why, because I don't know what triggers fwupd's IPMI user creation. I assume that explicitly starting fwupd on the other machines results in the same behavior, but I'm definitely not going to try.|
|Additional Information||Both issues have been addressed in the current version of fwupd. I'm well aware that AlmaLinux effectively depends on upstream fixes from RedHat. But there must be some way to handle such critical issues.|
|Tags||No tags attached.|