BMC Firmware in Supermicro Reveals Multiple Critical Vulnerabilities

Recently, it was uncovered that Supermicro’s BMC firmware harbours numerous critical vulnerabilities.

Security researchers have identified multiple flaws within the Intelligent Platform Management Interface (IPMI) firmware used in Supermicro baseboard management controllers (BMCs). These vulnerabilities pose serious threats by potentially allowing malicious actors to elevate privileges on affected systems and execute harmful code.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

Binarly, a cybersecurity firm, has assessed the severity of these issues, ranging from High to Critical. The vulnerabilities enable unauthenticated attackers to gain root access to the BMC system. These weaknesses are tracked through the identifiers CVE-2023-40284 to CVE-2023-40290. In response, Supermicro promptly released an updated version of the BMC firmware to address and mitigate these critical issues.

BMCs, specialized processors integrated into server motherboards, play a vital role in enabling remote management. They grant administrators the capability to monitor and control various hardware parameters such as temperature, fan speed, and UEFI system firmware. Notably, BMC chips remain operational even if the host operating system is offline, rendering them valuable attack vectors that can be exploited to install persistent malware.

Below is a concise breakdown of each vulnerability:

• Cross-Site Scripting (XSS) Vulnerabilities (CVE-2023-40284, CVE-2023-40287, CVE-2023-40288): These vulnerabilities hold a CVSS score of 9.6, allowing remote, unauthenticated attackers to execute arbitrary JavaScript code within the context of the logged-in BMC user.
• Cross-Site Scripting (XSS) Vulnerabilities (CVE-2023-40285, CVE-2023-40286): Rated at 8.6 on the CVSS scale, these vulnerabilities permit remote, unauthenticated attackers to run arbitrary JavaScript code within the context of the logged-in BMC user, achieved by manipulating browser cookies or local storage.
• Command Injection Vulnerability (CVE-2023-40289): With a CVSS score of 9.1, this flaw pertains to a command injection issue in the operating system, enabling a user to execute malicious code with administrative capabilities.
• Cross-Site Scripting (XSS) Vulnerability (CVE-2023-40290): With a CVSS score of 8.3, this vulnerability allows remote, unauthenticated attackers to execute arbitrary JavaScript code within the context of the logged-in BMC user. It’s important to note that this vulnerability is specific to Internet Explorer 11 on Windows.

A recent technical analysis revealed that CVE-2023-40289 is deemed “critical” by Binarly. ” because it allows authenticated attackers to gain root access and completely compromise the BMC system,” Binarly stated. “This makes the vulnerability critical.”

This level of privilege allows the attacker to maintain persistence even after a restart of the BMC component, facilitating lateral movement across the compromised infrastructure and enabling the infection of new endpoints.

Specifically, CVE-2023-40284, CVE-2023-40287, and CVE-2023-40288, among the six vulnerabilities, could potentially grant administrative access to the web server component of the BMC IPMI software. However, it’s essential to note that leveraging one of the vulnerabilities listed above is a prerequisite for this exploit.

In the hands of a remote adversary aiming to seize control of the servers, these vulnerabilities could be combined with CVE-2023-40289 to execute command injection and gain code execution. A plausible scenario could involve sending a phishing email containing a malicious link to the administrator’s email account. Upon clicking this link, the XSS payload would be executed. While this scenario remains hypothetical, its plausibility underscores the critical need for proactive mitigation measures.

As of early October 2023, Binarly reported observing over 70,000 instances of internet-exposed Supermicro IPMI web interfaces. Despite this significant exposure, there has been no indication of malicious exploitation of these vulnerabilities in real-world scenarios.

The security firm specializing in firmware security pointed out, “First, it is possible to remotely compromise the BMC system by exploiting vulnerabilities in the Web Server component exposed to the internet,”

Consequently, an adversary can gain access to the Server’s operating system by leveraging the legitimate iKVM remote control BMC feature or by flashing the UEFI firmware with malicious code, allowing persistent control over the host OS. Once at this stage, an attacker can move laterally within the internal network, compromising other hosts without hindrance.

Earlier this year, two security vulnerabilities in AMI MegaRAC BMCs were exposed. Exploiting these vulnerabilities could potentially grant threat actors remote control over vulnerable servers, enabling the installation of malware.