Security Alert - Supermicro BMC Vulnerability - CVE-2023-40284 to CVE-2023-40290

[TheTamago]

My daily read on upcoming and in the know for trusted news on IT Vulnerability News. I am sure we have a lot of Supermicro boards running "B11, CMM, H11, H12, M11, and X11 motherboards." From one security point, if your systems are exposed to the Internet, please consider network limitations to access from a secure resource to your BMC/IPMI interfaces if possible. Maintain your "Human Firewall" and watch what you click on.

News Reference: Security Week - Supermicro BMC Vulnerability
Supermicro Support: Supermicro Support - BMC CVES

 

[unwind-protect]

Oh boy.

 

[mattventura]

Okay, here's my summary.

The first one (command injection) requires the attacker to already have admin privileges. It allows them to do more with said admin privileges above and beyond what would normally be possible. You can mitigate this by not using admin accounts for tasks that do not require such.

The other four are XSS attacks, which require your browser to already be logged in to the web interface. You can mitigate these by using browser addons that block XSS attacks better than the browser's built-in protections, addons that provide a "network boundary shield" that prevents internet resources from accessing internal network resources, or by opening the web interface in a private tab.

As for the impact of having your BMC interface exposed to the internet, it might open the door to the first one if the attacker knows your credentials (or you're using default creds, though I think the affected boards all have random default passwords), but the XSS vulnerabilities bypass that - it only matters whether your computer can access the BMC. That is, even if your firewall rules are so tight that you have the only PC that can access the BMC on the entire network, the attacker can trick your browser into giving them access to the BMC if you are already logged into it.

 

[ericloewe]

It allows them to do more with said admin privileges above and beyond what would normally be possible.

Admin-level accounts already have full control of the BMC both in-band and out-of-band, and thus effectively have local console control of the host as well. Command injection is a big nothingburger in this context.

Meanwhile, XSS against a BMC is the stuff of targeted attacks. Not great, not terrible, unless someone is out to get you.

 

[mattventura]

Admin-level accounts already have full control of the BMC both in-band and out-of-band, and thus effectively have local console control of the host as well. Command injection is a big nothingburger in this context.

Meanwhile, XSS against a BMC is the stuff of targeted attacks. Not great, not terrible, unless someone is out to get you.

This is true, but the bigger threat is that you might not notice such an attack on the BMC at all if done in a surreptitious way, and you could potentially achieve persistence through an OS reinstall.

 

[tjk]

Sorry, if your IPMI/OOB ports are wide open on the Internet, you deserve to be exploited.

 

[ericloewe]

Sorry, if your IPMI/OOB ports are wide open on the Internet, you deserve to be exploited.

Yes, but the XSS vulnerabilities are more nuanced than that.

 

[zer0sum]

The ARS writeup is solid btw - Vulnerabilities in Supermicro BMCs could allow for unkillable server rootkits

Or you can go straight to the source - Binarly REsearch Uncovers Major Vulnerabilities in Supermicro BMCs | Binarly – AI -Powered Firmware Supply Chain Security Platform

The XSS vulns make it trivial to send a phishing email campaign to try and exploit this