Vulnerability Note VU#648646

Supermicro IPMI based on ATEN firmware contain multiple vulnerabilities

Original Release date: 30 Aug 2013 | Last revised: 29 Jul 2014

Overview

Supermicro Intelligent Platform Management Interface (IPMI) implementations based on ATEN firmware contain multiple vulnerabilities in their web management interface.

Description

CWE-121: Stack-based Buffer Overflow - CVE-2013-3607

The Supermicro IPMI web interface contains multiple buffer overflows, including one in the username and password fields of the login screen. This may allow for privileged remote code execution on the Baseboard Management Controller (BMC).

CWE-20: Improper Input Validation - CVE-2013-3608
The Supermicro IPMI web interface does not properly sanitize input, which may allow an attacker to perform shell injection attacks and execute commands as a privileged user.

CWE-269: Improper Privilege Management - CVE-2013-3609
The Supermicro IPMI web interface relies on client-side privilege validation, which may allow an attacker to perform privilege escalation attacks.

This is a list of potentially vulnerable firmwares and models:

Firmware files (30): H8DGU_V250.zip, SMT_227.zip, SMT_236.zip, SMT_243.zip, SMT_250.zip, SMT_252.zip, SMT_255.zip, SMT_257.zip, SMT_SX_266.zip, SMT_V220.zip, SMT_X9_160.zip, SMT_X9_164.zip, SMT_X9_165.zip, SMT_X9_176.zip, SMT_X9_186.zip, SMT_X9_187.zip, SMT_X9_188.zip, SMT_X9_189.zip, SMT_X9_210.zip, SMT_X9_213.zip, SMT_X9_214.zip, SMT_X9_215.zip, SMT_X9_216.zip, SMT_X9_217.zip, SMT_X9_220.zip, SMT_X9_221.zip, SMT_X9_222.zip, SMT_X9_226.zip, SMT_X9_227.zip, SMT_X9DB3_V406.zip.

Names (73): IPMI_7SPA, IPMI_7SPE, IPMI_7SPT, IPMI_7SPT-DF-D525+, IPMI_8DG6, IPMI_8DGG, IPMI_8DGTH, IPMI_8DGT-HLF/HLIBQF, IPMI_8DGU, IPMI_8DGUL, IPMI_8DTL, IPMI_8DTN+, IPMI_8DTU+, IPMI_8SGL, IPMI_8SI6, IPMI_8SIA, IPMI_8SIL, IPMI_8SIT-F, IPMI_8SIT-HF, IPMI_8SIU, IPMI_8SME-F, IPMI_8SML-7/i(F), IPMI_9DAX-7/i(T)F, IPMI_9DAX-i/7F-HFT, IPMI_9DB3/i-(TP)F, IPMI_9DBL-iF/3F, IPMI_9DR3, IPMI_9DR7/E-TF+,IPMI_9DR7-LN4F, IPMI_9DRD-7LN4F-JBOD, IPMI_9DRD-IF, IPMI_9DRFF-(7), IPMI_9DRFF-7/i(T)+, IPMI_9DRFF-7/i(T)G+, IPMI_9DRFR, IPMI_9DRG, IPMI_9DRG-H, IPMI_9DRH, IPMI_9DRi,
IPMI_9DRi/3-LN4F+, IPMI_9DRL-3/iF, IPMI_9DRL-EF, IPMI_9DRT-F, IPMI_9DRT-H6, IPMI_9DRT-HF+, IPMI_9DRT-HF/HIBFF/HIBQF, IPMI_9DRW-3, IPMI_9DRW-7/iTPF+, IPMI_9DRW-7TPF, IPMI_9DRX, IPMI_9QR7/i, IPMI_9QR7-TF, IPMI_9SBAA-F, IPMI_9SCD, IPMI_9SCE-F, IPMI_9SCFF-F, IPMI_9SCI-LN4F, IPMI_9SCM, IPMI_9SCM-iiF, IPMI_9SPU-F, IPMI_9SRD-F, IPMI_9SRE/i-(3)F, IPMI_9SRG, IPMI_9SRL, IPMI_9SRW-F, IPMI_DTU4L, IPMI_H8DCL, IPMI_H8DCT, IPMI_H8DCT-H, IPMI_SCM, IPMI_X9DBU-3F/iF, IPMI_X9DR7/E-LN4F, IPMI_X9DRD-7LN4F.

Device models (135): X9SRW-F, X9SRL-F, X9SRG-F, X9SRE-3F, X9SRE-F, X9SRi-3F, X9SRi-F, X9SRD-F, X9SPU-F, X9SCM-iiF, X9SCL+-F, X9SCL-F, X9SCM-F, X9SCI-LN4F, X9SCFF-F, X9SCE-F, X9SCA-F, X9SCD-F, X9SBAA-F, X9QR7-TF, X9QR7-TF-JBOD, X9QRi-F, X9QR7-TF+, X9QRi-F+, X9DRX+-F, X9DRX+-F, X9DRW-iTPF, X9DRW-7TPF+, X9DRW-iTPF+, X9DRW-3LN4F+, X9DRW-3TF+, X9DRT-HF+, X9DRT-H6F, X9DRT-H6IBFF,
X9DRT-H6IBQF, X9DRT-F, X9DRT-IBFF, X9DRT-IBQF, X9DRL-EF, X9DRL-3F, X9DRL-iF, X9DRi-F, X9DRH-7F, X9DRH-7TF, X9DRH-iF, X9DRH-iTF, X9DRG-HF, X9DRG-HTF, X9DRG-HF+, X9DRG-HTF+, X9DRFR, X9DRFF,
X9DRFF-7, X9DRFF-7G+, X9DRFF-7TG+, X9DRFF-iG+, X9DRFF-iTG+, X9DRFF-7+, X9DRFF-7T+, X9DRFF-i+, X9DRFF-iT+, X9DRD-iF, X9DRD-7LN4F, X9DRD-EF, X9DRD-7JLN4F, X9DRD-7LN4F-JBOD, X9DR7-TF+, X9DRE-TF+, X9DR7-LN4F, X9DRE-LN4F, X9DR7-LN4F-JBOD, X9DR3-LN4F+, X9DRi-LN4F+, X9DR3-F, X9DBU-3F, X9DBU-iF, X9DBL-3F, X9DBL-iF, X9DB3-F, X9DB3-TPF, X9DBi-F, X9DBi-TPF, X9DAX-7F, X9DAX-7TF, X9DAX-iF, X9DAX-iTF, X9DAX-7F-HFT, X9DAX-iF-HFT, X8SIU-F, X8SIT-HF, X8SIT-F, X8SIL-F, X8SIA-F, X8SI6-F, X8SIE-F, X8SIE-LN4F, X8DTU-LN4F+, X8DTU-LN4F+-LR, X8DTU-6F+, X8DTU-6F+-LR, X8DTU-6TF+, X8DTU-6TF+-LR, X8DTN+-F, X8DTN+-F-LR, X8DTL-3F, X8DTL-6F, X8DTL-IF, X7SPT-DF-D525, X7SPT-DF-D525+, X7SPA-HF, X7SPA-HF-D525, X7SPE-H-D525, X7SPE-HF, X7SPE-HF-D525, H8SML-7, H8SML-7F, H8SML-i,
H8SML-iF, H8SME-F, H8SGL-F, H8SCM-F, H8DGU-LN4F+, H8DGU-F, H8DGT-HLF, H8DGT-HLIBQF, H8DGT-HF, H8DGT-HIBQF, H8DGG-QF, H8DG6-F, H8DGi-F, H8DCT-HIBQF, H8DCT-HLN4F, H8DCT-F, H8DCT-IBQF, H8DCL-6F, H8DCL-iF.

Impact

A remote unauthenticated attacker may obtain sensitive information, cause a denial of service, or execute arbitrary code as a privileged user.

Solution

Update BMC Firmware

Please see Firmware Fixes to Common Vulnerabilities and Exposures.

Restrict IPMI to Internal Networks
Restrict IPMI traffic to trusted internal networks. Traffic from IPMI (usually UDP port 623) should be restricted to a management VLAN segment with strong network controls. Scan for IPMI usage outside of the trusted network and monitor the trusted network for abnormal activity.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SupermicroAffected30 Jul 201329 Jul 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal 5.8 E:POC/RL:OF/RC:UC
Environmental 5.3 CDP:LM/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to J. Alex Halderman and Anthony Bonkoski for reporting this vulnerability.

This document was written by Chris King.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.