Supermicro’s implementation of the Intelligent Platform Management Interface (IPMI) firmware for baseboard management controllers (BMCs) has serious vulnerabilities that allow unauthorized access to the BMC system. These vulnerabilities pose a significant threat to server security.

Description

Supermicro’s IPMI firmware for BMCs has been found to have multiple vulnerabilities, ranging from High to Critical severity [3]. These vulnerabilities include hard-coded encryption keys, hard-coded credentials with static passwords [1], buffer overflow vulnerabilities [1], a directory traversal flaw [1], cross-site scripting (XSS) flaws [2] [4], and an operating system command injection flaw [2] [4]. One of the vulnerabilities specifically affects Internet Explorer 11 on Windows [2].

These vulnerabilities enable unauthenticated actors to gain root access to the BMC system and execute arbitrary JavaScript code in the context of the logged-in BMC user. Additionally, the operating system command injection flaw allows for the execution of malicious code with administrative privileges [2]. The large number of internet-exposed Supermicro IPMI web interfaces [2] [3] [4], totaling over 70,000 instances [2] [4], highlights the urgency of addressing this threat [3].

Supermicro has released a firmware update to address these vulnerabilities [2] [4], but additional issues remain [1]. While there is no evidence of malicious exploitation [2] [3] [4], the potential for complete compromise of the BMC system exists if these vulnerabilities are combined to create an account with admin privileges and perform command injection.

It is worth noting that similar security flaws were discovered earlier this year in AMI MegaRAC BMCs, underscoring the importance of securing BMC firmware in server environments [3]. To mitigate the risk, the researchers recommend treating the Supermicro IPMI web management interface as an unprotected root shell and limiting access through another form of authentication [1].

Conclusion

The vulnerabilities in Supermicro’s IPMI firmware for BMCs have serious implications for server security. Attackers can gain permanent control over servers [5], even after OS reinstalls [5], and remotely access closed systems. Supermicro has taken steps to address these vulnerabilities, but the need for ongoing vigilance in securing BMC firmware is evident. The impact of these vulnerabilities, combined with the earlier discovery of similar flaws in AMI MegaRAC BMCs, highlights the importance of prioritizing firmware security in server environments.

References

[1] https://www.pcworld.com/article/448551/despite-patches-supermicros-ipmi-firmware-is-far-from-secure-researchers-say.html
[2] https://thehackernews.com/2023/10/supermicros-bmc-firmware-found.html
[3] https://www.blackhatethicalhacking.com/news/supermicros-bmcs-under-siege-critical-vulnerabilities-open-doors-to-attackers/
[4] https://cyberaffairs.com/news/supermicros-bmc-firmware-found-vulnerable-to-multiple-critical-vulnerabilities/
[5] https://www.zdnet.com/article/vulnerabilities-found-in-the-remote-management-interface-of-supermicro-servers/