wikiSupermicro BMC security updates 2024-04
In April 2024, Supermicro published several BMC firmware updates for X11, X12, X13, H11, H12, H13, M11, M12, B11 and B12 mainboards for the elimination of safety vulnerabilities in the BMC firmware. Thomas-Krenn generally recommends that remote maintenance access such as IPMI or Redfish or SSH should only be operated behind protected firewalls/VPNs and not made openly available on the Internet—see also IPMI Best Practices.
Here is an extract from the tabular overview of Supermicro´s security vulnerabilities:[1]
| issue ID | severity | issue type | description |
|---|---|---|---|
| SMCI ID: SMC-2024010010
CVE ID: CVE-2024-36430 Binarly ID: BRLY-2023-022 |
high | Command Injection Attack | Backend command used by the BMC for SMTP notification will accept un-sanitized credentials that allow for BMC OS command injection.
A BMC account with administrator privilege is required to be logged in. Supermicro CVSSv3 score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) |
| SMCI ID: SMC-2024010011
CVE ID: CVE-2024-36431 Binarly ID: BRLY-2023-023 |
high | XSS attack | Poisoned lang local storage item is evaluated without sanitation that allow the unauthorized creation of user accounts
on behalf of the logged in user accounts on behalf of the logged in account with administrator privileges. Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) |
| SMCI ID: SMC-2024010012
CVE ID: CVE-2023-33413 Binarly ID: BRLY-2023-030 |
high | Command Injection attack | Supermicro’s BMC allows an SNMP configuration file to be uploaded and applied.
The configuration file could be used to load additional modules from unauthorized dynamic libraries. The malicious configuration is persistent across BMC reboots. A BMC account with administrator privilege is required. Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) |
Updates for products of Thomas-Krenn
Updates for the corresponding system can be found in the download area of Thomas-Krenn. The updates in the download area have been tested by us to guarantee the stability and compatibility of our systems.
If you require the latest version for your system and it is not yet available in our download area, you can get it at Supermicro.
References
- ↑ Vulnerabilities in Supermicro BMC Firmware, April 2024 (www.supermicro.com, April 2024)
 |
Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.
|
