Supermicro's BMC Firmware Found Vulnerable to Multiple Critical Vulnerabilities

[MrGuvernment]

First they stored stuff in plain text in 2014, and now this..

For those who do not know. you should NEVER EVER EVER expose any out of band interface direct to the internet, ever, If you are, please turn in your IT / Home Lab / Geek card and exit that way....(but first remove said devices from Inet access)

Supermicro's BMC Firmware Found Vulnerable to Multiple Critical Vulnerabilities

Multiple security flaws in Supermicro's BMC firmware pose severe risks. Know the risks from CVE-2023-40284 to CVE-2023-40290.

thehackernews.com

A brief explainer of each of the vulnerabilities is below -

CVE-2023-40284, CVE-2023-40287, and CVE-2023-40288 (CVSS scores: 9.6) - Three cross-site scripting (XSS) flaws that allow remote, unauthenticated attackers to execute arbitrary JavaScript code in the context of the logged-in BMC user.

CVE-2023-40285 and CVE-2023-40286 (CVSS score: 8.6) - Two cross-site scripting (XSS) flaws that allow remote, unauthenticated attackers to execute arbitrary JavaScript code in the context of the logged-in BMC user by poisoning browser cookies or local storage.

CVE-2023-40289 (CVSS score: 9.1) - An operating system command injection flaw that allows for the execution of malicious code as a user with administrative privileges.

CVE-2023-40290 (CVSS score: 8.3) - A cross-site scripting (XSS) flaw that allows remote, unauthenticated attackers to execute arbitrary JavaScript code in the context of the logged-in BMC user, but only when using Internet Explorer 11 browser on Windows.

CVE-2023-40289 is "critical because it allows authenticated attackers to gain root access and completely compromise the BMC system," Binarly said in a technical analysis published this week

 

[Ericloewe]

The XSS vulnerabilities are annoying, but easy to mitigate with some discipline (and surely you don't have mere users, that undisciplined rabble accessing your BMCs network, right...?).

The "admin user can do more stuff" vulnerability is silly. It makes serious attacks against the BMC slightly more straightforward, but it's a rather moot point when said attacks need to be carefully crafted either way.

 

[Whattteva]

I mean... if you expose your BMC admin web UI to the DMZ, I almost think you kinda' deserve to be compromised...

 

[MrGuvernment]

So true @Ericloewe , but we know what "home users", well sadly, some IT people who claim to be "IT Pros" can be like and just want to connect everything direct to the internet so they can access it from their phone while they sit in starbucks... :D

@Whattteva, i often feel that way, especially when you consider how often many people are told what they should not ever do with things, but then they go and do it anyways because apparently they are special and no one would bother attacking them.... (not realizing, bots own the internet...)

 

[Arwen]

When I worked for Sun Microsystems back in 2003, they found that their fancy SunFire 3800/4800/6800's SP / Service Processor had a bug that was triggered by some Microsoft chatty protocol using broadcast packets. From that point on, Sun Microsystems recommended isolated networks for ALL SP / SC / RSC / ALOM / etc...

Gee, advice from 20 years ago still makes sense. Who would have thought that?

 

[Whattteva]

but we know what "home users", well sadly, some IT people who claim to be "IT Pros" can be like and just want to connect everything direct to the internet so they can access it from their phone while they sit in starbucks... :D

In their defense, it is super convenient when it's just directly connected like that and they can play with their home toys from anywhere.

 

[MrGuvernment]

In their defense, it is super convenient when it's just directly connected like that and they can play with their home toys from anywhere.

Certainly, but setting up a VPN tunnel can be pretty painless and quick as well and now lets you play with your toys, while also being more secure.

Things aren't as convenient when you are having to recovery everything from ransomware and monitoring to see if you had your identity stolen.

 

[Ericloewe]

Yeah, a single VPN sounds a lot more convenient to me than endless hacking around with port forwards for everything and juggling mountains of random ports... Never mind the security implications, the practical reality is that only a lunatic would do something like this (due to excess work if behind NAT; due to "oh my god, how did this idiot ever get to manage any IT infrastructure" if handing out public IP addresses to BMCs).

 

[MrGuvernment]

Yeah, a single VPN sounds a lot more convenient to me than endless hacking around with port forwards for everything and juggling mountains of random ports... Never mind the security implications, the practical reality is that only a lunatic would do something like this (due to excess work if behind NAT; due to "oh my god, how did this idiot ever get to manage any IT infrastructure" if handing out public IP addresses to BMCs).

And if we ever have any hope no one would do this, we can just let Shodan shows us the length some will go through, to let the internet see everything they have!

 

[Whattteva]

Yeah, a single VPN sounds a lot more convenient to me than endless hacking around with port forwards for everything and juggling mountains of random ports... Never mind the security implications, the practical reality is that only a lunatic would do something like this (due to excess work if behind NAT; due to "oh my god, how did this idiot ever get to manage any IT infrastructure" if handing out public IP addresses to BMCs).

Well, that's probably a wrong assumption though.
I think, generally, if you have enough tech know-how to setup a whole stack of services necessitating forwarding of multiple ports, then you're probably be tech savvy enough to setup VPN anyway.

But the majority of people that do this probably just need one service exposed (usually something like Plex) or some kind of remote file service (Nextcloud or similar). So, at most, it will be 1-2 ports max. And for that use case, it's just much easier and simpler to simply type a few digits into the router web UI than to setup something like OpenVPN, which can get quite hairy, especially if you're setting up a routed tunnel vs the simpler bridged tunnel. Wireguard is a bit simpler, but still requires a fair bit of knowledge.

 

[MrGuvernment]

Well, that's probably a wrong assumption though.
I think, generally, if you have enough tech know-how to setup a whole stack of services necessitating forwarding of multiple ports, then you're probably be tech savvy enough to setup VPN anyway.

But the majority of people that do this probably just need one service exposed (usually something like Plex) or some kind of remote file service (Nextcloud or similar). So, at most, it will be 1-2 ports max. And for that use case, it's just much easier and simpler to simply type a few digits into the router web UI than to setup something like OpenVPN, which can get quite hairy, especially if you're setting up a routed tunnel vs the simpler bridged tunnel. Wireguard is a bit simpler, but still requires a fair bit of knowledge.

1 service or 100, makes no difference, if someone can install NextCloud, or Plex, they can figure out how to run a VPN, and OpenVPN split tunnel is literally 1 line in the config file one downloads. The issue is, they figure "who is going to hack me, i'm not important" not realizing it is not a person trying to hack them, but 10's of thousands of automated systems running, scanning IP's 24/7 looking for that 1 exploit, unpatched server, what ever, to get a hold on...

And then we are where we are now, with many people infected and compromised and do not even know, all because they wanted to be "lazy" and just port forward a service to the internet that should not be on the internet in the first place, like a out of band service.

Yes, i get passionate about this because I read about it all day long and it is always the same thing over and over and over, same password used for everything, same short password used easily brute forced, same service exposed to the internet that should not of been, same system not patched, that had a patch to fix an exploit a year ago, not applied.. system compromised...