A series of security vulnerabilities have been detected in Supermicro's baseboard management controllers (BMC) firmware. These vulnerabilities, identified as CVE-2023-40284 to CVE-2023-40290, have been classified as high to critical in terms of severity. Binarly, the firm that discovered these vulnerabilities, stated that they could allow unauthenticated actors to gain root access to the BMC system. Supermicro has responded to these threats by releasing a firmware update for their BMCs.
BMCs are unique processors located on server motherboards that facilitate remote management. This allows administrators to monitor hardware indicators such as temperature, control fan speed, and update the UEFI system firmware. Notably, BMC chips continue to function even if the host operating system is offline, making them attractive targets for deploying persistent malware.
Among the vulnerabilities, CVE-2023-40289 is particularly critical as it allows authenticated attackers to gain root access and completely compromise the BMC system. Binarly stated in a technical analysis, 'This privilege allows to make the attack persistent even while the BMC component is rebooted and to move laterally within the compromised infrastructure, infecting other endpoints.'
The other six vulnerabilities, particularly CVE-2023-40284, CVE-2023-40287, and CVE-2023-40288, can be exploited to create an account with admin privileges for the web server component of the BMC IPMI software. Consequently, a remote attacker could combine these vulnerabilities with CVE-2023-40289 to perform command injection and achieve code execution. This could potentially lead to a scenario where a phishing email with a malicious link is sent to the administrator. When clicked, the XSS payload is triggered.
Currently, there is no evidence of these vulnerabilities being exploited maliciously in the wild. However, Binarly reported that it had identified over 70,000 instances of internet-exposed Supermicro IPMI web interfaces at the beginning of October 2023. The firm explained, 'First, it is possible to remotely compromise the BMC system by exploiting vulnerabilities in the Web Server component exposed to the internet. An attacker can then gain access to the Server's operating system via legitimate iKVM remote control BMC functionality or by flashing the UEFI of the target system with malicious firmware that allows persistent control of the host OS. From there, nothing prevents an attacker from lateral movement within the internal network, compromising other hosts.'
Earlier this year, two security flaws were exposed in AMI MegaRAC BMCs. If successfully exploited, these could allow threat actors to remotely take control of vulnerable servers and deploy malware.