Vulnerabilities in Supermicro BMC Firmware, April 2024

Vulnerability Disclosure:

The purpose of this disclosure is to communicate the potential vulnerabilities affecting Supermicro products that were reported by an external researcher.

Acknowledgement:

Supermicro would like to acknowledge the work done by Binarly researchers for discovering potential vulnerabilities in Supermicro BMC IPMI firmware.

Summary:

Three security issues have been discovered in select Supermicro motherboards. These issues affect the web server component of Supermicro BMC (Web UI).

Issue ID	Severity	Issue Type	Description
SMCI ID: SMC-2024010010 CVE ID: TBD Binarly ID: BRLY-2023-022	High	Command Injection Attack	Backend command used by the BMC for SMTP notification will accept un-sanitized credentials that allow for BMC OS command injection. A BMC account with administrator privilege is required to be logged in. Supermicro CVSSv3 score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
SMCI ID: SMC-2024010011 CVE ID: TBD Binarly ID: BRLY-2023-023	High	XSS attack	Poisoned lang local storage item is evaluated without sanitation that allow the unauthorized creation of user accounts on behalf of the logged in user accounts on behalf of the logged in account with administrator privileges. Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
SMCI ID: SMC-2024010012 CVE ID: CVE-2023-33413 Binarly ID: BRLY-2023-030	High	Command Injection attack	Supermicro’s BMC allows an SNMP configuration file to be uploaded and applied. The configuration file could be used to load additional modules from unauthorized dynamic libraries. The malicious configuration is persistent across BMC reboots. A BMC account with administrator privilege is required. Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

Issue ID

Severity

Issue Type

Description

SMCI ID: SMC-2024010010
CVE ID: TBD
Binarly ID: BRLY-2023-022

High

Command Injection Attack

Backend command used by the BMC for SMTP notification will accept un-sanitized credentials that allow for BMC OS command injection. A BMC account with administrator privilege is required to be logged in.

Supermicro CVSSv3 score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

SMCI ID: SMC-2024010011
CVE ID: TBD
Binarly ID: BRLY-2023-023

High

XSS attack

Poisoned lang local storage item is evaluated without sanitation that allow the unauthorized creation of user accounts on behalf of the logged in user accounts on behalf of the logged in account with administrator privileges.

Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

SMCI ID: SMC-2024010012
CVE ID: CVE-2023-33413
Binarly ID: BRLY-2023-030

High

Command Injection attack

Supermicro’s BMC allows an SNMP configuration file to be uploaded and applied. The configuration file could be used to load additional modules from unauthorized dynamic libraries. The malicious configuration is persistent across BMC reboots. A BMC account with administrator privilege is required.

Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

Affected products:

Supermicro BMC in select X11, X12, X13, H11, H12, H13, M11, M12, B11 and B12 motherboards (and CMMs).

Remediation:

All affected Supermicro motherboard SKUs will require a BMC update to mitigate these potential vulnerabilities.

Updated BMC firmware have been created to mitigate these potential vulnerabilities. Supermicro is currently testing and validating affected products. Please check release notes for the resolution.

Exploitation and Public Announcements:

Supermicro is not aware of any malicious use of these vulnerabilities in the wild.

Rackmount Servers

1U Dual Processor

2U Dual Processor

Single Processor

Multi Processor

Product Families

GPU Servers

8U GPU Lines

4U GPU Lines

2U GPU Lines

1U GPU Lines

Twin Servers

BigTwin®

GrandTwin®

TwinPro®

Twin

FatTwin®

Blade Servers

SuperBlade®

MicroBlade®

MicroCloud

Storage Servers

All Storage Systems

All-Flash NVMe

Top-Loading Storage

Enterprise-Optimized Storage

JBOD Storage Enclosures

Motherboards

Server Boards

Workstation Boards

Embedded / IoT Boards

Desktop / Gaming Boards

Previous Gen.

Motherboard Matrix

Global SKUs

Chassis

1U Chassis

2U Chassis

3U Chassis

4U / Tower Chassis

Mid / Mini-Tower

Embedded / IoT Chassis

Mobile Racks / Drive Kits

JBOD Storage Enclosures

Global SKUs

SuperRack®

Data Center Solution Engineering (DCSE)

Rack Integration Service

Accessories

Cable Matrix

Riser Card Matrix

Storage AOC Matrix

Power Supply Matrix

Heatsink Matrix

System Fan Matrix

Mobile Racks / Drive Kits

Front Chassis Bezels

Storage, I/O, Security

Edge & Telecom Servers

Fanless Edge Systems

Compact Edge Systems

Outdoor Edge Systems

1U Edge Network Systems

5G/Telecom Systems

Embedded Motherboards

Embedded Chassis

Switches

Adapters

SuperWorkstations

Liquid-Cooled AI Development Platform

Single-Processor

Dual-Processor

Supero™ Gaming Solutions

AI Infrastructure

NVIDIA Solutions

Intel Solutions

AMD Solutions

AI Storage

Edge AI

AI SuperCluster