Vulnerability Disclosure:
The purpose of this disclosure is to communicate the potential vulnerabilities affecting Supermicro products that were reported by an external researcher.
Acknowledgement:
Supermicro would like to acknowledge the work done by Binarly researchers for discovering potential vulnerabilities in Supermicro BMC IPMI firmware.
Summary:
Three security issues have been discovered in select Supermicro motherboards. These issues affect the web server component of Supermicro BMC (Web UI).
Issue ID | Severity | Issue Type | Description |
---|---|---|---|
| High | Command Injection Attack | Backend command used by the BMC for SMTP notification will accept un-sanitized credentials that allow for BMC OS command injection. A BMC account with administrator privilege is required to be logged in. Supermicro CVSSv3 score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) |
| High | XSS attack | Poisoned lang local storage item is evaluated without sanitation that allow the unauthorized creation of user accounts on behalf of the logged in user accounts on behalf of the logged in account with administrator privileges. Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) |
| High | Command Injection attack | Supermicro’s BMC allows an SNMP configuration file to be uploaded and applied. The configuration file could be used to load additional modules from unauthorized dynamic libraries. The malicious configuration is persistent across BMC reboots. A BMC account with administrator privilege is required. Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) |
Affected products:
Supermicro BMC in select X11, X12, X13, H11, H12, H13, M11, M12, B11 and B12 motherboards (and CMMs).
Remediation:
All affected Supermicro motherboard SKUs will require a BMC update to mitigate these potential vulnerabilities.
Updated BMC firmware have been created to mitigate these potential vulnerabilities. Supermicro is currently testing and validating affected products. Please check release notes for the resolution.
Exploitation and Public Announcements:
Supermicro is not aware of any malicious use of these vulnerabilities in the wild.