CVE-2025-7937
An attacker could trick the BMC administrator to update the BMC system with a custom image containing malicious content. This would result in the complete compromise of the BMC system, also providing access to the main host OS. It would also allow the attacker to make the attack persistent during a BMC component reboot and perform lateral movement within the compromised infrastructure, infecting other endpoints.
The firmware image for the X12STW-F motherboard version 01.06.17 has the following regions defined in the fwmap:
offset: 0x0000000, size: 0x00a6280, signed: true - bootloader
offset: 0x0100000, size: 0x0001000, signed: true - sig_table
offset: 0x0110000, size: 0x0010000, signed: true - pdb_seca
offset: 0x0130000, size: 0x031f900, signed: true - kernel
offset: 0x0530000, size: 0x275c080, signed: true - rootFS
offset: 0x2dc0000, size: 0x0010000, signed: false - pdb_isecThe fix for CVE-2024-10237 introduced two additional checks in the fwmap_parser function: fwmap_offset_check and fwmap_attr_check. These checks ensure that fwmap entries can't be located at a custom offset and fix the attributes they may have. However, since the fwmap region is searched in the memory by the fwmap signature, it is possible to place the custom fwmap table before the original one, for example, at offset 0x40000, which is not used by any other region. This modified fwmap will then be used during image validation.
For example, it is possible to write all the signed regions one after another at offset 0x100000, and introduce a custom fwmap with this content:
offset: 0x100000, size: 0x2b32c00, signed: true - bootloaderNow, data before 0x100000 can be modified in an arbitrary way, allowing to control content of the BMC bootloader. At the same time, validation of such an image will still succeed.
This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
BINARLY team
