wikiSupermicro BMC safety updates "terrapin attack", October 2024
In October 2024, Supermicro published several BMC firmware updates for X11, X12, H12, M12, X13, H13, A3 motherboards and CMM6 modules for the elimination of a security vulnerability in the BMC firmware[1]. In this case, the so-called ‘’'terrapin attack'‘’ can potentially be used to enable both parties to communicate using relatively insecure encryption algorithms such as ChaCha20-Poly1305 or CBC.[2] Thomas-Krenn generally recommends operating remote maintenance accesses such as IPMI or Redfish or SSH only protected behind firewalls/VPNs and not making them available openly on the Internet - see also IPMI Best Practices.
CE advisories
| CVE | risk potential: |
|---|---|
| CVE-2023-48795[3] | medium (5.9) |
Problem solution
Supermicro recommends performing a BMC update on all affected motherboards to close the security gap. You can find out which version is required from the release notes for the respective motherboards.
Updates for products of Thomas-Krenn
Updates for the corresponding system can be found in the download area of Thomas-Krenn. The updates in the download area have been tested by us to guarantee the stability and compatibility of our systems.
If you require the latest version for your system and it is not yet available, you can get it in the download area at Supermicro
More information
- Terrapin attack: millions SSH server attackable but still manageable (www.heise.de, Januar 2024)
References
- ↑ Vulnerability in Supermicro BMC IPMI Firmware, “Terrapin”, October 2024 (www.supermicro.com, october 2024)
- ↑ Terrapin attack information page (www.terrapin-attack.com)
- ↑ CVE-2023-48795(www.cve.mitre.org)
