メインコンテンツに移動
Vulnerability in Supermicro BMC IPMI firmware, “Terrapin”, October 2024

Vulnerability Disclosure:

The purpose of this disclosure is to communicate the potential vulnerabilities affecting Supermicro products that were reported by an external researcher.

Summary:

A security issue has been discovered in select Supermicro motherboards.

CVE IDSeverityDescription
CVE-2023-48795Moderate (5.9)

The Terrapin attack technique could potentially lead to both parties communicating over SSH using less secure algorithms, such as ChaCha20-Poly1305 or CBC mode ciphers mentioned on the website (https://terrapin-attack.com/)

Affected products:

Supermicro BMC firmware in select X11, X12, H12, M12, X13, H13, and A3 motherboards (and CMM6 modules).

Remediation:

All affected Supermicro motherboard SKUs will require a BMC update to mitigate these potential vulnerabilities.

An updated BMC firmware has been created to mitigate these potential vulnerabilities. Please check Release notes for the resolution.

Exploitation and Public Announcements:

Supermicro is not aware of any malicious use of these vulnerabilities in the wild.

Resources: