search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Supermicro IPMI based on ATEN firmware contain multiple vulnerabilities

Vulnerability Note VU#648646

Original Release Date: 2013-08-30 | Last Revised: 2014-07-29

Overview

Supermicro Intelligent Platform Management Interface (IPMI) implementations based on ATEN firmware contain multiple vulnerabilities in their web management interface.

Description

CWE-121: Stack-based Buffer Overflow - CVE-2013-3607

The Supermicro IPMI web interface contains multiple buffer overflows, including one in the username and password fields of the login screen. This may allow for privileged remote code execution on the Baseboard Management Controller (BMC).

CWE-20: Improper Input Validation - CVE-2013-3608
The Supermicro IPMI web interface does not properly sanitize input, which may allow an attacker to perform shell injection attacks and execute commands as a privileged user.

CWE-269: Improper Privilege Management - CVE-2013-3609
The Supermicro IPMI web interface relies on client-side privilege validation, which may allow an attacker to perform privilege escalation attacks.

This is a list of potentially vulnerable firmwares and models:

Firmware files (30): H8DGU_V250.zip, SMT_227.zip, SMT_236.zip, SMT_243.zip, SMT_250.zip, SMT_252.zip, SMT_255.zip, SMT_257.zip, SMT_SX_266.zip, SMT_V220.zip, SMT_X9_160.zip, SMT_X9_164.zip, SMT_X9_165.zip, SMT_X9_176.zip, SMT_X9_186.zip, SMT_X9_187.zip, SMT_X9_188.zip, SMT_X9_189.zip, SMT_X9_210.zip, SMT_X9_213.zip, SMT_X9_214.zip, SMT_X9_215.zip, SMT_X9_216.zip, SMT_X9_217.zip, SMT_X9_220.zip, SMT_X9_221.zip, SMT_X9_222.zip, SMT_X9_226.zip, SMT_X9_227.zip, SMT_X9DB3_V406.zip.

Names (73): IPMI_7SPA, IPMI_7SPE, IPMI_7SPT, IPMI_7SPT-DF-D525+, IPMI_8DG6, IPMI_8DGG, IPMI_8DGTH, IPMI_8DGT-HLF/HLIBQF, IPMI_8DGU, IPMI_8DGUL, IPMI_8DTL, IPMI_8DTN+, IPMI_8DTU+, IPMI_8SGL, IPMI_8SI6, IPMI_8SIA, IPMI_8SIL, IPMI_8SIT-F, IPMI_8SIT-HF, IPMI_8SIU, IPMI_8SME-F, IPMI_8SML-7/i(F), IPMI_9DAX-7/i(T)F, IPMI_9DAX-i/7F-HFT, IPMI_9DB3/i-(TP)F, IPMI_9DBL-iF/3F, IPMI_9DR3, IPMI_9DR7/E-TF+,IPMI_9DR7-LN4F, IPMI_9DRD-7LN4F-JBOD, IPMI_9DRD-IF, IPMI_9DRFF-(7), IPMI_9DRFF-7/i(T)+, IPMI_9DRFF-7/i(T)G+, IPMI_9DRFR, IPMI_9DRG, IPMI_9DRG-H, IPMI_9DRH, IPMI_9DRi,
IPMI_9DRi/3-LN4F+, IPMI_9DRL-3/iF, IPMI_9DRL-EF, IPMI_9DRT-F, IPMI_9DRT-H6, IPMI_9DRT-HF+, IPMI_9DRT-HF/HIBFF/HIBQF, IPMI_9DRW-3, IPMI_9DRW-7/iTPF+, IPMI_9DRW-7TPF, IPMI_9DRX, IPMI_9QR7/i, IPMI_9QR7-TF, IPMI_9SBAA-F, IPMI_9SCD, IPMI_9SCE-F, IPMI_9SCFF-F, IPMI_9SCI-LN4F, IPMI_9SCM, IPMI_9SCM-iiF, IPMI_9SPU-F, IPMI_9SRD-F, IPMI_9SRE/i-(3)F, IPMI_9SRG, IPMI_9SRL, IPMI_9SRW-F, IPMI_DTU4L, IPMI_H8DCL, IPMI_H8DCT, IPMI_H8DCT-H, IPMI_SCM, IPMI_X9DBU-3F/iF, IPMI_X9DR7/E-LN4F, IPMI_X9DRD-7LN4F.

Device models (135): X9SRW-F, X9SRL-F, X9SRG-F, X9SRE-3F, X9SRE-F, X9SRi-3F, X9SRi-F, X9SRD-F, X9SPU-F, X9SCM-iiF, X9SCL+-F, X9SCL-F, X9SCM-F, X9SCI-LN4F, X9SCFF-F, X9SCE-F, X9SCA-F, X9SCD-F, X9SBAA-F, X9QR7-TF, X9QR7-TF-JBOD, X9QRi-F, X9QR7-TF+, X9QRi-F+, X9DRX+-F, X9DRX+-F, X9DRW-iTPF, X9DRW-7TPF+, X9DRW-iTPF+, X9DRW-3LN4F+, X9DRW-3TF+, X9DRT-HF+, X9DRT-H6F, X9DRT-H6IBFF,
X9DRT-H6IBQF, X9DRT-F, X9DRT-IBFF, X9DRT-IBQF, X9DRL-EF, X9DRL-3F, X9DRL-iF, X9DRi-F, X9DRH-7F, X9DRH-7TF, X9DRH-iF, X9DRH-iTF, X9DRG-HF, X9DRG-HTF, X9DRG-HF+, X9DRG-HTF+, X9DRFR, X9DRFF,
X9DRFF-7, X9DRFF-7G+, X9DRFF-7TG+, X9DRFF-iG+, X9DRFF-iTG+, X9DRFF-7+, X9DRFF-7T+, X9DRFF-i+, X9DRFF-iT+, X9DRD-iF, X9DRD-7LN4F, X9DRD-EF, X9DRD-7JLN4F, X9DRD-7LN4F-JBOD, X9DR7-TF+, X9DRE-TF+, X9DR7-LN4F, X9DRE-LN4F, X9DR7-LN4F-JBOD, X9DR3-LN4F+, X9DRi-LN4F+, X9DR3-F, X9DBU-3F, X9DBU-iF, X9DBL-3F, X9DBL-iF, X9DB3-F, X9DB3-TPF, X9DBi-F, X9DBi-TPF, X9DAX-7F, X9DAX-7TF, X9DAX-iF, X9DAX-iTF, X9DAX-7F-HFT, X9DAX-iF-HFT, X8SIU-F, X8SIT-HF, X8SIT-F, X8SIL-F, X8SIA-F, X8SI6-F, X8SIE-F, X8SIE-LN4F, X8DTU-LN4F+, X8DTU-LN4F+-LR, X8DTU-6F+, X8DTU-6F+-LR, X8DTU-6TF+, X8DTU-6TF+-LR, X8DTN+-F, X8DTN+-F-LR, X8DTL-3F, X8DTL-6F, X8DTL-IF, X7SPT-DF-D525, X7SPT-DF-D525+, X7SPA-HF, X7SPA-HF-D525, X7SPE-H-D525, X7SPE-HF, X7SPE-HF-D525, H8SML-7, H8SML-7F, H8SML-i,
H8SML-iF, H8SME-F, H8SGL-F, H8SCM-F, H8DGU-LN4F+, H8DGU-F, H8DGT-HLF, H8DGT-HLIBQF, H8DGT-HF, H8DGT-HIBQF, H8DGG-QF, H8DG6-F, H8DGi-F, H8DCT-HIBQF, H8DCT-HLN4F, H8DCT-F, H8DCT-IBQF, H8DCL-6F, H8DCL-iF.

Impact

A remote unauthenticated attacker may obtain sensitive information, cause a denial of service, or execute arbitrary code as a privileged user.

Solution

Update BMC Firmware

Please see Firmware Fixes to Common Vulnerabilities and Exposures.

Restrict IPMI to Internal Networks
Restrict IPMI traffic to trusted internal networks. Traffic from IPMI (usually UDP port 623) should be restricted to a management VLAN segment with strong network controls. Scan for IPMI usage outside of the trusted network and monitor the trusted network for abnormal activity.

Vendor Information

648646
 
Affected   Unknown   Unaffected

Supermicro

Notified:  July 30, 2013 Updated:  July 29, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal 5.8 E:POC/RL:OF/RC:UC
Environmental 5.3 CDP:LM/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to J. Alex Halderman and Anthony Bonkoski for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2013-3607, CVE-2013-3608, CVE-2013-3609
Date Public: 2013-08-13
Date First Published: 2013-08-30
Date Last Updated: 2014-07-29 23:38 UTC
Document Revision: 18

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.