Vulnerability Disclosure:
The purpose of this disclosure is to communicate the potential vulnerabilities affecting Supermicro products that were reported by an external researcher.
Acknowledgement:
Supermicro would like to acknowledge the work done by the Binarly team for discovering potential vulnerabilities in Supermicro BMC IPMI Firmware.
Summary:
A number of security issues have been discovered in select Supermicro boards. These issues may affect the web server component of BMC IPMI.
| CVE ID | Severity** | Issue Type | Description** |
|---|---|---|---|
| High | Command Injection attack | An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. Supermicro CVSSv3 score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) | |
| High | XSS attack | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) | |
| High | XSS attack | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) | |
| High | XSS attack | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies to create a new user. Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) | |
| High | XSS attack | An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) |
Affected products:
Supermicro BMC in select X11, H11, B11, CMM, M11, and H12 motherboards.
Remediation:
Affected Supermicro motherboard SKUs will require a BMC update to mitigate these potential vulnerabilities.
An updated BMC firmware had been created to mitigate these potential vulnerabilities. Please check BMC Firmware update and the release notes for the resolution and contact technical support for further details.
As an immediate workaround to reduce the attack surface, it is advised to follow the BMC Configuration Best Practices Guide and configure session timeout.
Exploitation and Public Announcements:
Supermicro is not aware of any malicious exploitation of these vulnerabilities in the wild.
Notes:
** Subject to change, pending final review from MITRE.org