If your company uses servers equipped with baseboard controllers from Supermicro, it’s time, once again, to hide the top seven vulnerabilities that attackers can exploit to gain control of them. And sorry, but the fixes must be installed manually.
Commonly abbreviated as BMCs, baseboard controllers are small chips that are soldered onto the motherboard of servers in data centers. Administrators rely on these powerful controllers for a variety of remote control capabilities, including installing updates, monitoring temperatures and setting fan speeds accordingly, and upgrading UEFI system firmware that allows servers to load their behavior during reboots. BMCs provide these capabilities and more, even when the servers they are connected to are turned off.
Code execution in BMC? Yes
The ability for vulnerabilities in BMCs to be exploited and used to control servers has not been lost on hackers. In 2021, hackers exploited a vulnerability in BMCs from the HP company and installed a custom rootkit, researchers from Amnpardaz, a security company in Iran, reported that year. ILObleed, as the researchers named the rootkit, hides in iLO, a module in HPE BMCs that is short for Integrated Lights-Out.
ILObleed is programmed to destroy data stored on disk. If administrators reinstall the operating system, iLObleed will remain intact and will repeatedly run the disk wiping attack. Responsible unknown attackers took control of BMC by exploiting an HPE vulnerability set four years ago. In May, the National Security Agency urged admins to comply guidance to avoid such incidents.
Researchers from security firm Binarly on Tuesday show Seven high-level vulnerabilities in IPMI (Interface Management Platform Interface) BMC firmware. Supermicro has acknowledged the vulnerabilities, thanks Binarly, and provided patching information Here. There is no automatic way to install updates. Supermicro says it is not aware of any malicious exploitation of the vulnerabilities in the wild.
One of the seven vulnerabilities, tracked as CVE-2023-40289, allows for the execution of malicious code inside the BMC, but there is a catch: Exploiting the flaw requires administrative privileges already obtained in the web interface used to configure and manage the BMCs. That leaves us with six weaknesses. All six of them allow cross-site scripting, or XSS, attacks on devices used by admins. An exploit scenario is to use one or more of them in combination with CVE-2023-40289.
In an email, Binarly founder and CEO Alex Matrosov wrote:
Addressing this vulnerability requires administrative privileges that you have already obtained in BMC Web Communications. To achieve it, a potential attacker can use any of the detected XSS vulnerabilities. In such a case, the abuse method would look like this potential scenario:
1. The attacker prepares a malicious link with a malicious payload
2. including in your emails (for example)
3. when this button is open, the malicious payload will be running inside BMC OS.
Administrators can communicate remotely with Supermicro BMCs through a variety of protocols, including SSH, IPMI, SNMP, WSMAN, and HTTP/HTTPS. Binarly discovered vulnerabilities can be exploited using HTTP. While the NSA and many other security officials insist that BMC interfaces are exclusive to the Internet, there is evidence that this idea is often overlooked. A recent query to the Shodan search engine revealed more than 70,000 instances of Supermicro BMC that have their IPMI web interface publicly available.
The road map for exploiting vulnerabilities against servers with Supermicro interfaces exposed in this way is illustrated below:
In a Tuesday post, Binarly researchers wrote:
First, it is possible to compromise a BMC system remotely using vulnerabilities in a web server component exposed to the Internet. An attacker can then gain access to the server operating system via iKVM remote BMC service or by flashing the UEFI of the target system with malicious firmware that allows persistent control of the host OS. From there, nothing prevents an attack from moving outwards within the internal network, damaging other internal hosts.
All vulnerabilities detected by Binarly originate in third-party developed firmware IPMI ATHENS was developed for Supermicro. While ATEN patched CVE-2023-40289 six months ago, the fix did not make its way into the firmware.
“This is a supply chain problem because there may be other BMC suppliers that may be affected by these inefficiencies,” Matrosov wrote.