IPMI Security Updates
Like any operating system, IPMI remote maintenance chips are regularly provided with security updates. This article shows clearly which security updates are available for the IPMI chips of the Thomas-Krenn servers, and with which firmware version certain security vulnerabilities (listed CVE numbers) are closed. For the IPMI configurations of your servers please refer to our IPMI Best Practices (german article).
IPMI Firmware update matrix
The following matrix shows the firmware versions for all Supermicro X9- up to X12-based and also H11- and H12-based systems:[1]
Update for CVE | Supermicro H12 motherboards (AST2500) |
Supermicro X12 motherboards (AST2500, Whitley platform) |
Supermicro H11 motherboards (AST2500) |
Supermicro X11 motherboards (AST2500, X11 Purley platform) |
Supermicro X11 motherboards (AST2400) |
Supermicro X10 motherboards (ASPEED-ATEN) |
Supermicro X9 motherboards (Nuvoton-ATEN) |
---|---|---|---|---|---|---|---|
USBAnywhere | 3.10 (H12SSW-*) | (No information) | (In development) | 1.71.XX | 1.56 | 3.83 | (Special order) |
At Thomas-Krenn currently available in the download area | 3.10.9 (SMT_H12AST2500_64M_31009_V.bin) |
(No information) | 1.52 (SMT_H11AST2500_32M_152_0.bin) |
1.71.XX (SMT_X11AST2500_171_11.bin) |
1.56 (SMT_X11_156.bin) |
3.86 (REDFISH_X10_386_20191115_unsigned.bin) |
3.53 (SMT_X9_353.bin) |
CVE-2019-6260 (Gaining control of BMC from the host processor) | 3.03 (H12SSW-*) | (No information) | 1.46 | 1.65 | 1.54 | 3.80 | (not affected **) |
CVE-2016-9310 (NTP Control Mode) | (not affected) | 1.22 | 1.38 | 3.52 | 3.54 | ||
CVE-2016-7407 (Dropbear-SSH) | (not affected) | 1.28 | 3.47 | 3.53 | |||
CVE-2016-7434 (NTP) | (under investigation) | 1.35 (*) | 3.52 (Release Notes: Upgrade NTP package to 4.2.8p9) |
3.54 (*) | |||
CVE-2003-0001 (Etherleak) | 1.16 | 1.37 (*) | 3.52 | (under investigation) | |||
CVE-2015-0204 (FREAK OpenSSL vulnerability), -0209, -0286 to -0289, -0292, -0293 (OpenSSL) | (not affected) | 1.94 | (under investigation) | ||||
CVE-2015-0235 (glibc library) | 2.13 | (Custom Firmware) | |||||
Update for CVE-2014-3566 (POODLE SSLv3) | 1.76 | 3.35 | |||||
Update for CVE-2013-4786 (Weak hash for RAKP) | - | 3.19 | |||||
Update for CVE-2013-3622 (CGI: logout.cgi) | 1.24 | 3.17 | |||||
Update for CVE-2013-3619 (Static Encryption Keys) | - | 3.17 | |||||
Update for CVE-2013-3621 (CGI: login.cgi), CVE-2013-3623 (CGI: close_window.cgi) |
1.24 | 3.15 |
(*) Information from 01.06.2018 from Supermicro on our request.
(**) Mainboards of the X9 series do not contain an Aspeed chip.
Information about new available updates
We recommend that you subscribe to the Server Downloads als RSS Feed (german article) so that you are automatically informed about new available updates for your servers.
Further information
- Supermicro Server Management: IPMI Firmware Security (www.supermicro.com, 22.08.2014)
- Supermicro IPMI Security Updates July 2014
- Supermicro IPMI Security Updates November 2013
- Libupnp Buffer Overflow in Motherboards with Nuvoton Chips with IPMI WPCM450R Software (June2013)
- Security Recommendations for Remote Maintenance Features for IPMI Chips with ATEN-Software (October 2011)
References
- ↑ Firmware Fixes to Common Vulnerabilities and Exposures (www.supermicro.com)
Author: Werner Fischer Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.
|