IPMI Security Updates

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

Like any operating system, IPMI remote maintenance chips are regularly provided with security updates. This article shows clearly which security updates are available for the IPMI chips of the Thomas-Krenn servers, and with which firmware version certain security vulnerabilities (listed CVE numbers) are closed. For the IPMI configurations of your servers please refer to our IPMI Best Practices (german article).

IPMI Firmware update matrix

The following matrix shows the firmware versions for all Supermicro X9- up to X12-based and also H11- and H12-based systems:[1]

Update for CVE Supermicro H12 motherboards
(AST2500)
Supermicro X12 motherboards
(AST2500, Whitley platform)
Supermicro H11 motherboards
(AST2500)
Supermicro X11 motherboards
(AST2500, X11 Purley platform)
Supermicro X11 motherboards
(AST2400)
Supermicro X10 motherboards
(ASPEED-ATEN)
Supermicro X9 motherboards
(Nuvoton-ATEN)
USBAnywhere 3.10 (H12SSW-*) (No information) (In development) 1.71.XX 1.56 3.83 (Special order)
At Thomas-Krenn currently available in the download area 3.10.9
(SMT_H12AST2500_64M_31009_V.bin)
(No information) 1.52
(SMT_H11AST2500_32M_152_0.bin)
1.71.XX
(SMT_X11AST2500_171_11.bin)
1.56
(SMT_X11_156.bin)
3.86
(REDFISH_X10_386_20191115_unsigned.bin)
3.53
(SMT_X9_353.bin)
CVE-2019-6260 (Gaining control of BMC from the host processor) 3.03 (H12SSW-*) (No information) 1.46 1.65 1.54 3.80 (not affected **)
CVE-2016-9310 (NTP Control Mode) (not affected) 1.22 1.38 3.52 3.54
CVE-2016-7407 (Dropbear-SSH) (not affected) 1.28 3.47 3.53
CVE-2016-7434 (NTP) (under investigation) 1.35 (*) 3.52 (Release Notes:
Upgrade NTP package to 4.2.8p9)
3.54 (*)
CVE-2003-0001 (Etherleak) 1.16 1.37 (*) 3.52 (under investigation)
CVE-2015-0204 (FREAK OpenSSL vulnerability), -0209, -0286 to -0289, -0292, -0293 (OpenSSL) (not affected) 1.94 (under investigation)
CVE-2015-0235 (glibc library) 2.13 (Custom Firmware)
Update for CVE-2014-3566 (POODLE SSLv3) 1.76 3.35
Update for CVE-2013-4786 (Weak hash for RAKP) - 3.19
Update for CVE-2013-3622 (CGI: logout.cgi) 1.24 3.17
Update for CVE-2013-3619 (Static Encryption Keys) - 3.17
Update for CVE-2013-3621 (CGI: login.cgi),
CVE-2013-3623 (CGI: close_window.cgi)
1.24 3.15

(*) Information from 01.06.2018 from Supermicro on our request.
(**) Mainboards of the X9 series do not contain an Aspeed chip.

Information about new available updates

We recommend that you subscribe to the Server Downloads als RSS Feed (german article) so that you are automatically informed about new available updates for your servers.

Further information

References


Foto Werner Fischer.jpg

Author: Werner Fischer

Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.


Related articles

Libupnp Buffer Overflow in Motherboards with Nuvoton Chips with IPMI WPCM450R Software
Remote management Supermicro X12 and H12 Motherboards
Supermicro IPMI Security Updates July 2014