Security vulnerabilities have been disclosed in the Intelligent Platform Management Interface (IPMI) firmware for Supermicro management controllers employed in some Cloudian storage appliances. These vulnerabilities could result in privilege escalation and execution of malicious code. The seven flaws, tracked from CVE-2023-40284 through CVE-2023-40290, range in severity from High to Critical, according to Binarly, enabling unauthenticated actors to gain root access to the system.

At this time, we know of no Cloudian customers who have experienced issues related to this. This issue potentially affects these Cloudian products: HSA-1600 (SMC), HSA-4200, HSF-1100, HSF-1000, and HBL-1000 series hardware. The vulnerabilities do not exist on the HSA-4418 hardware based on a Supermicro server using a X12 motherboard.  Thus, the necessary security updates do not apply to the HSA-4418 model.

A firmware update is now available from Cloudian. Here are the details on these vulnerabilities and the update.

Security Concerns and Description

One of the seven vulnerabilities, tracked as CVE-2023-40289, states that it can allow for the execution of malicious code inside the baseboard management controller (BMC).  However, exploiting the flaw first requires obtaining administrative privileges in the web interface used to configure and control the BMCs. If administrative access has been obtained, then the remaining six vulnerabilities apply which may allow cross-site scripting, or XSS, attacks on machines used by administrators. Exploiting these vulnerabilities is the use of one or more of the six vulnerabilities in combination with CVE-2023-40289.

https://www.supermicro.com/en/support/security_BMC_IPMI_Oct_2023

A summary of the vulnerabilities is:

CVE ID SEVERITY ISSUE TYPE DESCRIPTION
CVE-2023-40289 High Command Injection attack An attacker needs to be logged in to BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection.

Supermicro CVSSv3 score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVE-2023-40284

CVE-2023-40287

CVE-2023-40288

High XSS attack An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI.

Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVE-2023-40290 High XSS attack An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser.

Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVE-2023-40285 High XSS attack An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies to create a new user.

Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVE-2023-40286 High XSS attack An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user.

Supermicro CVSSv3 score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

 

Who Is at Risk?

There is a potential risk of having the BMC remotely compromised by exploiting vulnerabilities in the Web Server component exposed to the Internet.  If that occurs, an attacker can then gain access to the server’s operating system using iKVM remote control BMC functionality or by installing malicious firmware by flashing the UEFI of the target system which can allow persistent control of the host OS.

Known Exposures

While SuperMicro has verified these vulnerabilities, we know of no customers who have experienced any issues related to them at the time of this notification.

Cloudian’s Actions and Recommendations to Address

An update exists that addresses recently discovered vulnerabilities related to the BMC which were identified by researchers who have worked in cooperation with Supermicro.  The vulnerabilities relate to cross site scripting and command injection on the BMC Web User Interface (Web IPMI Tool).

Patching the seven vulnerabilities requires a manually installed with the following firmware update:

smcbiosbmcupg.bin

The update will need to be applied manually on every node, and a reboot is required for it to take effect.  It will update the BMC, then the BIOS, and it will inform you to reboot the system for the new firmware to take effect.

The BMC Web UI (Web IPMI tool) checks the appliance model, and will update the BMC and BIOS firmware to the following versions for the affected appliances:

Appliance Model BMC Version BIOS Version
HSA-1600s Series 1.74.13 4.0
HSA-4200s Series 3.10.35 4.0
HSF-1000s Series 1.74.13 4.0

 

Please contact your Cloudian representative or Support to get this tool.

Additional Information and Resources

The following Cloudian Knowledge-base Articles as Security Advisories are available for external use for registered customers by accessing the Cloudian Support Portal at https://cloudian-support.force.com.

KBA# 2877: https://support.cloudianhyperstore.com/s/article/CVE-Vulnerabilities-with-Supermicro-Servers-Oct-2023