Binary company discovered Supermicro’s legacy board management controllers (BMCs) have seven vulnerabilities that could allow attackers to gain control of servers.
Motherboard control controllers are small chips on the server motherboard. BMCs are used for remote management of servers and offer a wide range of functions: installing updates, monitoring temperatures and controlling fan speeds, as well as the ability to flash UEFI. BMC allows access to a server that is switched off – it is sufficient that it is connected to the power supply.
Seven serious vulnerabilities were discovered in the IPMI (Intelligent Platform Management Interface) firmware for older BMCs from the manufacturer Supermicro written downwhat they influence “some X11, H11, B11, CMM, M11 and H12 motherboards”, and emphasized that there is no information about the exploitation of these vulnerabilities. The central vulnerability is assigned the number CVE-2023-40289 – it allows the execution of malicious code on BMC, but its exploitation requires administrator rights in the web interface, which can be achieved through the six remaining vulnerabilities. They in turn enable XSS attacks or cross-site scripting to be carried out.
In general, the attack pattern is the following order:
- The attacker prepares a malicious link with a payload.
- he sends it via phishing emails;
- When a link is clicked in BMC, a malicious loading operation occurs.
The connection to Supermicro’s BMC is via various protocols including SSH, IPMI, SNMP, WSMAN and HTTP/HTTPS. Vulnerabilities discovered by Binarly can be exploited via HTTP. Cybersecurity experts strongly recommend isolating BMC interfaces from the Internet, but in practice this recommendation is often ignored. The Shodan search service found more than 70,000 copies of BMC Supermicro with public IPMI.
Notably, all of the vulnerabilities discovered by Binarly affect the IPMI firmware developed for Supermicro by a third party, ATEN. ATEN fixed CVE-2023-40289 six months ago, but this patch is not yet included in the firmware. Finally, Supermicro rated the vulnerabilities 7.2 to 8.3 out of 10, while Binarly rated them 8.3 to 9.6 out of 10.