Supermicro IPMI Security Updates November 2013
IPMI controller web interfaces of Supermicro X9 generation motherboards with firmware revision v2.24 and older are affected by several vulnerabilities, including critical buffer overflows. These vulnerabilities are a result of a safety analysis of the organization Rapid7. The following analyzes describe the discovery of these vulnerabilities:
- Supermicro IPMI Firmware Vulnerabilities (community.rapid7.com)
- Exploiting the Supermicro Onboard IPMI Controller (community.rapid7.com)
This wiki article will provide more information about these security vulnerabilities and how to perform an update of the IPMI firmware.
General Safety Information
We recommend to not operate administrative access such as IPMI and SSH services on the Internet, but rather enable access to authorized persons using a firewall/VPN. This recommendation applies regardless of the vulnerabilities described here and is reinforced by Supermicro also: Best Practices for managing servers with IPMI features enabled in Datacenters.
Affected Firmware Versions
According to Rapid7 the vulnerabilities have been discovered in connection with the IPMI version SMT_X9_226. A corresponding exploit for the buffer overflow has been created using an IPMI version SMT_X9_214 by Rapid7.  The utilization of the vulnerability was verified by Thomas-Krenn in the close_window.cg with an IPMI web interface of revision 2.24.
The following selected Thomas Krenn motherboards are affected:
- X9 Mainboards for Intel CPUs (IPMI revision before v2.24): X9SCA-F, X9SCM-F, X9DBL-iF, X9DR7-LN4F, X9DRi-F, X9DRW-3LN4F+, X9DRT-HF, 5037MC-H8TRF (X9SCD-F), SYS-2027TR-H71RF
The CGI scripts login.cgi and close_window.cgi of the IPMI web interface are exploitable by buffer overflows. The vulnerabilities are a result of the usage of strcpy and strcat without string length validation.
An attacker with network access to port 80 of the IPMI ip address can enforce a buffer overflow by sending arbitrary requests. If the vulnerability is exploited successfully the attacker can run commands with root privileges on the IPMI-BMC (Arbitrary Code Execution).
According to Supermicro the following security vulnerabilities are fixed by revision SMT_X9_315:
- Hardcoded WSMan Credentials (CVE-2013-3620)
- CGI: login.cgi (CVE-2013-3621)
- CGI: close_window.cgi (CVE-2013-3623)
- Stack-based Buffer Overflow (CVE-2013-3607)
- Improper Input Validation (CVE-2013-3608)
- Improper Privilege Management (CVE-2013-3609)
Attention: Supermicro states that changes in the password management algorithms will not allow a downgrade from versions 3.x to versions 2.x.
The following IPMI firmware revision fixes the vulnerabilities:
- X9 Mainboards for Intel CPUs: X9SCA-F, X9SCM-F, X9DBL-iF, X9DR7-LN4F, X9DRi-F, X9DRW-3LN4F+, X9DRT-HF, 5037MC-H8TRF (X9SCD-F), SYS-2027TR-H71RF
Thomas Krenn strongly recommends that all affected customers apply IPMI firmware updates and not to operate administrative access such as IPMI or SSH services on the Internet. Rather allow access to authorized persons only via a firewall/VPN.
For additional information about the firmware, please refer to this article IPMI Firmware Update for Supermicro Motherboards with ATEN IPMI Software.
- Supermicro IPMI Firmware Vulnerabilities
- Exploiting the Supermicro Onboard IPMI Controller
- Metasploit smt_ipmi_close_window_bof.rb
- Supermicro Firmware Fixes to Common Vulnerabilities and Exposures
- Supermicro Firmware List
Author: Georg Schönberger