Full Report
Baseboard Management Controllers (BMC) are used for the remote monitoring of systems. Typically, this is a specialized chip on a server on a different wired connection than the server. It can be used to change/update level items like UEFI or give console access to the server. Since this can be accessed remotely, ensuring that the BMC device is secure is incredibly important. One way of accessing this is via the IPMI protocol. This device has a web interface for interacting with this. The first vulnerability is a command injection within the email notification functionality. This does require administrative login to setup though. The next three vulnerabilities are all reflected XSS bugs. Using this, an attacker can trick a user to visit their maliciously crafted link to create a user account or perform other bad actions. Paired together, these vulnerabilities allow for a one-click RCE. By chaining the XSS to create an account into the command injection, RCE is gained. Overall, the bugs are pretty standard and nothing special. The interesting part to me is the impact and the target that is being hit.
Analysis Summary
# Vulnerability: Supermicro BMC Remote Code Execution Chain
## CVE Details
- **CVE ID:** CVE-2023-40289 (Primary RCE), CVE-2023-40284, CVE-2023-40287, CVE-2023-40288 (Reflected XSS), CVE-2023-40290, CVE-2023-40285, CVE-2023-40286 (Stored XSS)
- **CVSS Score:** 9.1 - 9.6 (Critical)
- **CWE:** CWE-78 (OS Command Injection), CWE-79 (Cross-site Scripting)
## Affected Systems
- **Products:** Supermicro IPMI firmware (developed by ATEN)
- **Versions:** X11 platforms (Firmware versions prior to October 2023 update; specifically tested on 1.66)
- **Configurations:** Systems with BMC web interfaces exposed to the network.
## Vulnerability Description
The flaw consists of a chain of vulnerabilities within the Supermicro BMC web management interface:
1. **Command Injection (CVE-2023-40289):** Located in the email notification configuration. The backend fails to sanitize input before passing it to a system shell. While this requires administrative privileges, it allows for full root access to the BMC OS.
2. **Reflected XSS (CVE-2023-40284/87/88):** Multiple endpoints fail to sanitize URL parameters, allowing attackers to execute arbitrary JavaScript in a victim's browser session.
3. **Stored XSS (CVE-2023-40290/85/86):** Vulnerabilities where malicious scripts are stored in cookies or local storage (e.g., via the `lang` setting) and subsequently executed using `eval()`.
## Exploitation
- **Status:** PoC available (detailed in Binarly research).
- **Complexity:** Low (Standard XSS and Command Injection techniques).
- **Attack Vector:** Network. An unauthenticated attacker can use XSS to trick an administrator into unwittingly performing actions (like creating a new admin account or triggering the command injection) to achieve RCE.
## Impact
- **Confidentiality:** Total (Root access to BMC firmware).
- **Integrity:** Total (Capability to modify UEFI/BIOS and install persistent implants).
- **Availability:** Total (Ability to shut down servers or brick hardware).
## Remediation
### Patches
- Update Supermicro BMC firmware to the latest versions released in **October 2023** or later. Users should consult the Supermicro Security Advisory for specific platform firmware IDs.
- **Reference:** hxxps://www[.]supermicro[.]com/en/support/security_BMC_IPMI_Oct_2023
### Workarounds
- **Network Isolation:** Ensure BMC management ports are on a dedicated, isolated management VLAN (out-of-band) and not accessible from the public internet or general production networks.
- **Access Control:** Restrict web interface access to trusted IP addresses only.
## Detection
- **Indicators of Compromise:** Unusual administrative account creation; unexpected configuration changes in email alert settings; presence of shell metacharacters (`;`, `&`, `|`) in web server logs.
- **Detection methods:** Use the Binarly Transparency Platform or the free "FWHunt" scanner to check for vulnerable firmware signatures.
- **Audit:** Review BMC logs for unauthorized login attempts or modifications to the firmware/UEFI.
## References
- **Supermicro Advisory:** hxxps://www[.]supermicro[.]com/en/support/security_BMC_IPMI_Oct_2023
- **Binarly Research:** hxxps://binarly[.]io/posts/Binarly_REsearch_Uncovers_Major_Vulnerabilities_in_Supermicro_BMCs/index[.]html
- **CISA/NSA Hardening Guide:** hxxps://media[.]defense[.]gov/2023/Jun/14/2003241405/-1/-1/0/CSI_HARDEN_BMCS[.]PDF