Supermicro Management Controllers expose servers to XSS exploits
Take action: Exploiting of the flaws are not super-easy and require successful phishing or leaked credentials. That said, it's still wise to patch your Supermicro BMC firmware to the latest version because phishing and leaked credentials will happen eventually.
Learn More
Multiple security vulnerabilities have been made public in the firmware of the Intelligent Platform Management Interface (IPMI) for Supermicro baseboard management controllers (BMCs).
BMCs are specialized processors on server motherboards, facilitate remote management, enabling administrators to monitor hardware metrics such as temperature, adjust fan speed, and update the UEFI system firmware. BMC chips remain functional even when the host operating system is offline, making them attractive targets for deploying persistent malware.
The vulnerabilities, totaling seven, are tracked as CVE-2023-40284 to CVE-2023-40290. Their severity was assessed by security researchers Binarly. Supermicro has taken corrective action by releasing a BMC firmware update to address these vulnerabilities. Supermicro disputes the severity rankng since exploiting the vulnerability relies on successfully targeting an admin which has an open connection to the BMC or having BMC credentials. On one case the exploit also needs Internet Explorer 11.
The vulnerabilities are:
- CVE-2023-40284, CVE-2023-40287, and CVE-2023-40288 (CVSS scores: 9.6): Three cross-site scripting (XSS) flaws enabling remote, unauthenticated attackers to execute arbitrary JavaScript code within the context of the logged-in BMC user.
- CVE-2023-40285 and CVE-2023-40286: Two cross-site scripting (XSS) flaws allowing remote, unauthenticated attackers to execute arbitrary JavaScript code within the context of the logged-in BMC user by tampering with browser cookies or local storage.
- CVE-2023-40289: An operating system command injection flaw permitting the execution of malicious code with administrative privileges, if an attacker has credentials to the BMC.
- CVE-2023-40290: A cross-site scripting (XSS) flaw enabling remote, unauthenticated attackers to execute arbitrary JavaScript code within the context of the logged-in BMC user, specifically when using Internet Explorer 11 browser on Windows.
CVE-2023-40289 is particularly critical as it grants authenticated attackers root access, leading to complete compromise of the BMC system. The remaining six vulnerabilities, especially CVE-2023-40284, CVE-2023-40287, and CVE-2023-40288, could be exploited to establish an account with admin privileges for the web server component of the BMC IPMI software.
In a hypothetical scenario, this could involve sending a phishing email containing a malicious link to the administrator's email address. When clicked, this link triggers the execution of the XSS payload. Then proceed to take full control of the system.
As of now, there is no evidence of malicious exploitation of these vulnerabilities in the wild. Binarly reported over 70,000 instances of publicly accessible Supermicro IPMI web interfaces at the beginning of October 2023.
