Vulnerability in Supermicro BMC IPMI firmware, “Terrapin”, October 2024

Vulnerability Disclosure:

The purpose of this disclosure is to communicate the potential vulnerabilities affecting Supermicro products that were reported by an external researcher.

Summary:

A security issue has been discovered in select Supermicro motherboards.

CVE ID	Severity	Description
CVE-2023-48795	Moderate (5.9)	The Terrapin attack technique could potentially lead to both parties communicating over SSH using less secure algorithms, such as ChaCha20-Poly1305 or CBC mode ciphers mentioned on the website (https://terrapin-attack.com/)

Affected products:

Supermicro BMC firmware in select X11, X12, H12, M12, X13, H13, and A3 motherboards (and CMM6 modules).

Remediation:

All affected Supermicro motherboard SKUs will require a BMC update to mitigate these potential vulnerabilities.

An updated BMC firmware has been created to mitigate these potential vulnerabilities. Please check Release notes for the resolution.

Exploitation and Public Announcements:

Supermicro is not aware of any malicious use of these vulnerabilities in the wild.

Resources:

CVE-2023-48795

Rackmount Servers

1U Dual Processor

2U Dual Processor

Single Processor

Multi Processor

Product Families

GPU Servers

8U GPU Lines

4U GPU Lines

2U GPU Lines

1U GPU Lines

Twin Servers

FlexTwin™

BigTwin®

GrandTwin®

TwinPro®

Twin

FatTwin®

Blade Servers

SuperBlade®

MicroBlade®

MicroCloud

Storage Servers

All Storage Systems

All-Flash NVMe

Top-Loading Storage

JBOF

Enterprise-Optimized Storage

JBOD Storage Enclosures

Motherboards

Server Boards

Workstation Boards

Embedded / IoT Boards

Desktop / Gaming Boards

Previous Gen.

Motherboard Matrix

Global SKUs

Chassis

1U Chassis

2U Chassis

3U Chassis

4U / Tower Chassis

Mid / Mini-Tower

Embedded / IoT Chassis

Mobile Racks / Drive Kits

JBOD Storage Enclosures

Global SKUs

SuperRack®

Data Center Solution Engineering (DCSE)

Rack Integration Service

Accessories

Cable Matrix

Riser Card Matrix

Storage AOC Matrix

Power Supply Matrix

Heatsink Matrix

System Fan Matrix

Mobile Racks / Drive Kits

Front Chassis Bezels

Storage, I/O, Security

Edge & Telecom Servers

Fanless Edge Systems

Compact Edge Systems

Outdoor Edge Systems

1U Edge Network Systems

5G/Telecom Systems

Embedded Components

Embedded Motherboards

Embedded Chassis

Switches

Adapters

SuperWorkstations

Liquid-Cooled AI Development Platform

Single-Processor

Dual-Processor

Supero™ Gaming Solutions

AI Infrastructure

AI SuperCluster

AI Solutions for Industries

Edge AI