New Supermicro BMC Vulnerabilities Could Expose Many Servers to Remote Attacks

Server and computer hardware giant Supermicro has released updates to address multiple vulnerabilities in Baseboard Management Controllers (BMC) IPMI firmware.

The issues (tracked as CVE-2023-40284 to CVE-2023-40290) could allow remote attackers to gain root access to the BMC system, firmware supply chain security firm Binarly, which identified the bugs, explains.

A special chip on server motherboards that support remote management, the BMC allows administrators to monitor various hardware variables and even update the UEFI system firmware. The BMC chips remain operational even if the system’s power is turned off.

The most severe of these bugs are three cross-site scripting (XSS) vulnerabilities in the BMC server frontend that could be exploited remotely, without authentication, to execute arbitrary JS code.

The flaws are tracked as CVE-2023-40284, CVE-2023-40287, and CVE-2023-40288 and, according to Supermicro’s advisory, have a CVSS score of 8.3.

“An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI,” Supermicro notes.

Binarly, however, considers these issues ‘critical severity’, with a CVSS score of 9.6. The security firm assumes that the attacker knows the BMC web server’s IP address and the administrator’s email address, which it uses to send a phishing email.

Advertisement. Scroll to continue reading.

CVE-2023-40289, which is described as a command injection bug in the BMC server backend, should also be considered critical severity, with a CVSS score of 9.1, Binarly says.

“The vulnerability is critical because it allows authenticated attackers to gain root access and completely compromise the BMC system. This privilege makes it possible to make the attack persistent even while the BMC component is rebooted and to move laterally within the compromised infrastructure, infecting other endpoints,” the security firm notes.

Supermicro, however, rates the issue with a CVSS score of 7.2, noting that it requires for the attacker to be logged into the BMC with administrator privileges.

Binarly also identified two XSS flaws (CVE-2023-40285 and CVE-2023-40286) in the Supermicro BMC IPMI firmware that could lead to the execution of malicious code every time a specific action is triggered. The complexity of the attack is low, with no circumstances preventing successful exploitation, Binarly says.

Both vulnerabilities can be exploited by sending phishing emails and tricking BMC administrators into clicking a link while they are still logged in to the BMC web UI.

CVE-2023-40290, another high-severity XSS flaw, can only be exploited using the Internet Explorer 11 browser on Windows.

According to Supermicro, the vulnerability impacts the BMC IPMI firmware of select B11, CMM, H11, H12, M11, and X11 motherboards.

The company says it is not aware of any malicious exploitation of these vulnerabilities.

Binarly’s research focused on the web server component due to it being the most accessible and most likely attack vector. The company has seen more than 70,000 instances of internet-exposed Supermicro IPMI web interfaces.

Related: New AMI BMC Flaws Allowing Takeover and Physical Damage Could Impact Millions of Devices

Related: Security Flaws in AMI BMC Can Expose Many Data Centers, Clouds to Attacks

Related: BMC Firmware Vulnerabilities Expose OT, IoT Devices to Remote Attacks