Table of Contents
New Supermicro BMC Vulnerabilities
Renowned server technology firm, Supermicro, has released critical updates to address new vulnerabilities discovered in its Baseboard Management Controller (BMC) firmware. BMC acts as the brain behind the Intelligent Platform Management Interface (IPMI) specifications, providing remote administrative functions for servers. This makes the vulnerabilities a potential alarming issue for businesses and data centers.
Supermicro releases updates to address vulnerabilities
Supermicro has been swift in its response to the discovery of the new vulnerabilities, issuing updates to counteract the potential threats. The addressed flaws were found in the web interface of the BMC of the X10, X11, X12, H11, and H12 ATEN models. It should be stressed how integral it is for organizations to install these updates promptly, to ensure their server systems remain secure.
Vulnerabilities could allow remote attackers to gain root access
The vulnerabilities discovered could potentially provide external remote attackers with root access. This level of access would give attackers the ability to manipulate systems at their most fundamental levels. This could potentially lead to data breaches, planting of malicious code, or reconfiguration of systems for devious purposes. Given the broad deployment of Supermicro servers, such a vulnerability carries a high risk factor.
Most severe bugs are three cross-site scripting (XSS) vulnerabilities
Apart from the potential root access, the three most severe vulnerabilities discovered are cross-site scripting (XSS) bugs. These specific vulnerabilities could leave a server exposed to unjustified authorizations and manipulations. In worst-case scenarios, complete system controls could be compromised, resulting in serious data breaches or an inability to provide necessary services.
Impact and Severity of Bugs
The discovery of these vulnerabilities in Supermicro's Baseboard Management Controller firmware carries significant implications. Because of the potential it offers for remote attackers to gain root access and the severe threat the bugs pose to system security, different entities have examined and rated their severity. Notably, their detriment is amplified when considering the widespread deployment of Supermicro servers globally.
Three bugs rated with a CVSS score of 8.3 by Supermicro’s advisory
Supermicro's advisory has rated three of the discovered bugs with a Common Vulnerability Scoring System (CVSS) score of 8.3. The CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. A score of 8.3 is deemed 'high' severity, indicating that these bugs pose a substantial threat that should be addressed promptly.
Security firm Binarly rates them as 'critical severity' with a CVSS of 9.6
Security firm Binarly, which specializes in accurate and early detection of cyber threats, has an even more alarmist view of these bugs' impact. Binarly has classified these vulnerabilities as 'critical severity' and assigned a higher CVSS score of 9.6. This evaluation shows that the vulnerabilities pose an extreme risk that demands immediate attention.
Binarly rates another bug as critical with a CVSS of 9.1
In addition to the vulnerabilities already discussed, Binarly has identified another bug within Supermicro's BMC firmware, which it rates as critical with a CVSS of 9.1. This score highlights the high level of risk associated with this additional vulnerability, further emphasising the threatening nature of these bugs.
Supermicro rates the same bug with a CVSS of 7.2
Supermicro's assessment, while consistent in recognizing the bug's potential threat, offers a slightly lower CVSS score of 7.2. Despite the discrepancy in scoring, both Supermicro and Binarly categorize the bug as a significant threat that requires prompt action.
Other Identified Flaws
The vulnerabilities discovered in Supermicro's BMC firmware are not limited to those previously mentioned. Additional flaws have been identified by Binarly, some of which could be exploited through phishing emails. One unique flaw could only be exploited using Internet Explorer 11, setting it apart from the others.
Two XSS flaws identified in Supermicro BMC IPMI firmware by Binarly
Binarly has discovered two further XSS flaws in the BMC IPMI firmware provided by Supermicro. XSS flaws, or cross-site scripting vulnerabilities, can allow an attacker to inject malicious scripts into web pages viewed by users. These additional vulnerabilities further underscore the imperative necessity for organisations employing Supermicro servers to update their systems promptly.
Vulnerabilities exploitable through phishing emails
Adding more complexity to the threat posed, these vulnerabilities can be exploited using phishing emails. Attackers could potentially trick unsuspecting users into clicking on malicious links that trigger these vulnerabilities. This method of attack underscores the importance of comprehensive security protocols, including staff training on recognising potential threats and how to respond to them.
CVE-2023-40290, a high-severity flaw, exploitable only using Internet Explorer 11
CVE-2023-40290 is a high-severity flaw uniquely exploitable through Internet Explorer 11. This flaw presents a particular peculiarity, as its exploitability is restricted to an older internet browser. However, it still poses a substantial threat to organisations that have not yet phased out this browser. They must prioritise attending to this vulnerability to protect their systems and information.
Affected Hardware and Potential Exploits
The vulnerabilities recently discovered in Supermicro's BMC firmware are alarming due to the breadth of affected hardware and potential for exploits, especially considering the number of internet-exposed Supermicro IPMI web interfaces. While no known malicious exploits have been reported, the situation underscores the importance of swift and efficient remediation to prevent potential future attacks.
Vulnerabilities impact select B11, CMM, H11, H12, M11, and X11 motherboards
The vulnerabilities discovered affect a number of specific motherboards, including select B11, CMM, H11, H12, M11, and X11 models. These motherboards are used across a broad spectrum of servers and systems, implying the potential risk extent is significant and widespread.
Binarly observed over 70,000 instances of internet-exposed Supermicro IPMI web interfaces
Adding intensity to the potential threat, cyber threat detection specialist Binarly, reported over 70,000 instances of Supermicro IPMI web interfaces exposed to the internet. The fact that these vulnerabilities are internet-facing dramatically escalates their exposure, aperture for potential attackers, and the importance of timely mitigation.
No known malicious exploits of these vulnerabilities reported
While the breadth and potential for harm that these vulnerabilities portend are serious, it should be noted there have been no known malicious exploits of these vulnerabilities reported to date. However, this should not downplay the urgency of remediating the noted vulnerabilities, as failure to do so could invite imminent sophisticated exploits.
