Vulnerability in Supermicro BMC IPMI firmware, “Terrapin”, October 2024

Vulnerability Disclosure:

The purpose of this disclosure is to communicate the potential vulnerabilities affecting Supermicro products that were reported by an external researcher.

Summary:

A security issue has been discovered in select Supermicro motherboards.

CVE ID	Severity	Description
CVE-2023-48795	Moderate (5.9)	The Terrapin attack technique could potentially lead to both parties communicating over SSH using less secure algorithms, such as ChaCha20-Poly1305 or CBC mode ciphers mentioned on the website (https://terrapin-attack.com/)

Affected products:

Supermicro BMC firmware in select X11, X12, H12, M12, X13, H13, and A3 motherboards (and CMM6 modules).

Remediation:

All affected Supermicro motherboard SKUs will require a BMC update to mitigate these potential vulnerabilities.

An updated BMC firmware has been created to mitigate these potential vulnerabilities. Please check Release notes for the resolution.

Exploitation and Public Announcements:

Supermicro is not aware of any malicious use of these vulnerabilities in the wild.

Resources:

CVE-2023-48795

Rackmount-Server

1U-Doppelprozessor

2U-Doppelprozessor

Einzelner Prozessor

Multiprozessor

Produkt-Familien

GPU-Server

8U-GPU-Linien

4U-GPU-Linien

2U-GPU-Linien

1U-GPU-Linien

Twin Servers

FlexTwin™

BigTwin®

GrandTwin®

TwinPro®

Twin

FatTwin®

Blade-Server

SuperBlade®

MicroBlade®

MicroCloud

Storage Servers

Alle Speichersysteme

All-Flash NVMe

Top-Loading Storage

JBOF

Unternehmensoptimierter Speicher

JBOD-Storage-Gehäuse

Motherboards

Gehäuse

SuperRack®

Zubehör

Edge & Telecom Servers

Fanless Edge Systems

Compact Edge Systems

Outdoor Edge Systems

1U Edge Network Systems

5G/Telecom Systems

Eingebettete Komponenten

Eingebettete Motherboards

Eingebettetes Fahrgestell

Switches

Adapters

SuperWorkstations

Liquid-Cooled AI Development Platform

Einzelprozessor

Dual-Prozessor

Supero™ Gaming Solutions

KI-Infrastruktur

KI-SuperCluster

KI-Lösungen für Branchen

Edge AI

KI-Speicher

NVIDIA-Lösungen

AMD-Lösungen

Intel-Lösungen

HPC

Rack-Lösungen

Flüssigkeits­kühlung

Datenverwaltung

KI-Speicher

Software-definierte Speicherung und Speicher

Hyperkonvergente Infrastruktur

Veeam

Unternehmensanwendungen und Datenanalyse

Datentechnik

Datenbank & ERP

Microsoft

Cloud & Virtualisierung

Cloud Service Providers (CSPs)

Google Distributed Cloud

Kanonischer OpenStack

Red Hat OpenStack

Kubernetes

Virtual Desktop

5G, Edge Computing und IoT

5G and Telecom Solutions

Rakuten Symphony

IoT Edge-Lösungen

Flüssigkeitskühlung