A wide range of Supermicro motherboards contain several vulnerabilities in their BMC chip firmware that, when combined, can allow an attacker to gain complete control of a vulnerable system.
The flaws are in the motherboards’ baseboard management controller (BMC) web server, and researchers at Binarly who discovered the bugs found that by combining any of three cross-site scripting vulnerabilities with a command-injection vulnerability, an attacker could gain arbitrary code execution and root privileges. Supermicro has released updated firmware to address the vulnerabilities in the affected motherboards, which include some 11, H11, B11, CMM, M11, and H12 motherboards.
The BMC is a special-purpose chip installed in servers that allows remote monitoring and administrative management of machines, even if the host OS is offline. Vulnerabilities in BMCs can offer significant opportunities for attackers, given their low-level access to the motherboard and powerful capabilities. The four bugs that the Binarly researchers discovered in the Supermicro BMCs include six XSS flaws (CVE-2023-40284, 40285, 40286, 40287, 40288, 40290) and one command injection vulnerability (CVE-2023-40289).
The command-injection vulnerability is a serious one, as it can allow an attacker to gain root access to the BMC. However, the attacker must be authenticated in order to exploit the bug, which is a significant mitigation. But, using one of the XSS flaws or another bug in the BMC’s web server could give the attacker a pathway to create an admin account with the required privileges to exploit that vulnerability.
“The first vulnerability is critical because it allows authenticated attackers to gain root access and completely compromise the BMC system. This privilege allows to make the attack persistent even while the BMC component is rebooted and to move laterally within the compromised infrastructure, infecting other endpoints,” the Binarly advisory says.
“In this case, an attacker could create an account with administrative privileges for the web server component of the BMC IPMI software. Most importantly, it allows exploitation of vulnerabilities that require authentication, such as BRLY-2023-001. By combining these vulnerabilities, unauthorized remote attackers could gain access to the root of the BMC system.”
Bugs in BMC chips can be especially problematic, given the chips’ powerful capabilities on the server, as well as the issue of updating the firmware. Many organizations are hesitant to take servers offline in order to update them, so bugs can persist for some time.
“An updated BMC firmware had been created to mitigate these potential vulnerabilities,” Supermicro said in its advisory.
As a workaround, administrators can configure session timeouts.