Multiple security vulnerabilities have been disclosed in the Intelligent Platform Management Interface (IPMI) firmware for Supermicro baseboard management controllers (BMCs) that could result in privilege escalation and execution of malicious code on affected systems.
The seven flaws, tracked from CVE-2023-40284 through CVE-2023-40290, vary in severity from High to Critical, according to Binarly, enabling unauthenticated actors to gain root access to the BMC system. Supermicro has shipped a BMC firmware update to patch the bugs.
BMCs are special processors on server motherboards that support remote management, enabling administrators to monitor hardware indicators such as temperature, set fan speed, and update the UEFI system firmware. What's more, BMC chips remain operational even if the host operating system is offline, making them lucrative attack vectors to deploy persistent malware.
A brief explainer of each of the vulnerabilities is below -
- CVE-2023-40284, CVE-2023-40287, and CVE-2023-40288 (CVSS scores: 9.6) - Three cross-site scripting (XSS) flaws that allow remote, unauthenticated attackers to execute arbitrary JavaScript code in the context of the logged-in BMC user.
- CVE-2023-40285 and CVE-2023-40286 (CVSS score: 8.6) - Two cross-site scripting (XSS) flaws that allow remote, unauthenticated attackers to execute arbitrary JavaScript code in the context of the logged-in BMC user by poisoning browser cookies or local storage.
- CVE-2023-40289 (CVSS score: 9.1) - An operating system command injection flaw that allows for the execution of malicious code as a user with administrative privileges.
- CVE-2023-40290 (CVSS score: 8.3) - A cross-site scripting (XSS) flaw that allows remote, unauthenticated attackers to execute arbitrary JavaScript code in the context of the logged-in BMC user, but only when using Internet Explorer 11 browser on Windows.
CVE-2023-40289 is "critical because it allows authenticated attackers to gain root access and completely compromise the BMC system," Binarly said in a technical analysis published this week.
"This privilege allows to make the attack persistent even while the BMC component is rebooted and to move laterally within the compromised infrastructure, infecting other endpoints."
The other six vulnerabilities – CVE-2023-40284, CVE-2023-40287, and CVE-2023-40288 in particular – could be used to create an account with admin privileges for the web server component of the BMC IPMI software.
As a result, a remote attacker looking to take control of the servers could combine them with CVE-2023-40289 to perform command injection and achieve code execution. In a hypothetical scenario, this could play in the form of sending a phishing email bearing a booby-trapped link to the administrator's email address that, when clicked, triggers the execution of the XSS payload.
There is presently no evidence of any malicious exploitation of the vulnerabilities in the wild, although Binarly said it observed more than 70,000 instances of internet-exposed Supermicro IPMI web interfaces at the start of October 2023.
"First, it is possible to remotely compromise the BMC system by exploiting vulnerabilities in the Web Server component exposed to the internet," the firmware security company explained.
"An attacker can then gain access to the Server's operating system via legitimate iKVM remote control BMC functionality or by flashing the UEFI of the target system with malicious firmware that allows persistent control of the host OS. From there, nothing prevents an attacker from lateral movement within the internal network, compromising other hosts."
Earlier this year, two security flaws were revealed in AMI MegaRAC BMCs that, if successfully exploited, could allow threat actors to remotely commandeer vulnerable servers and deploy malware.