CVE-2024-3411
Severity CVSS v4.0:
Pending analysis
Type:
CWE-331
Insufficient Entropy
Publication date:
30/04/2024
Last modified:
04/11/2025
Description
Implementations of IPMI Authenticated sessions does not provide enough randomness to protect from session hijacking, allowing an attacker to use either predictable IPMI Session ID or weak BMC Random Number to bypass security controls using spoofed IPMI packets to manage BMC device.
Impact
Base Score 3.x
9.10
Severity 3.x
CRITICAL
References to Advisories, Solutions, and Tools
- https://kb.cert.org/vuls/id/163057
- https://www.dell.com/support/kbdoc/en-US/000226504/dsa-2024-295-security-update-for-dell-idrac8-ipmi-session-vulnerability
- https://www.intel.la/content/dam/www/public/us/en/documents/specification-updates/ipmi-intelligent-platform-mgt-interface-spec-2nd-gen-v2-0-spec-update.pdf
- https://kb.cert.org/vuls/id/163057
- https://www.dell.com/support/kbdoc/en-US/000226504/dsa-2024-295-security-update-for-dell-idrac8-ipmi-session-vulnerability
- https://www.intel.la/content/dam/www/public/us/en/documents/specification-updates/ipmi-intelligent-platform-mgt-interface-spec-2nd-gen-v2-0-spec-update.pdf
- https://www.kb.cert.org/vuls/id/163057