Seven vulnerabilities have been found in Supermicro’s baseboard management controllers (BMCs). Hackers can exploit these to gain complete control. Although the patches have been released, the vulnerabilities may persist for a long time because these will not be forced through.
According to Supermicro, the seven vulnerabilities in their baseboard management controllers (BMCs) have a vulnerability score between 7.2 and 8.3 out of 10. By saying this, the company indicates the problems cannot simply be ignored, and according to other security researchers, the company is even underestimating the scores.
A vulnerability on a BMC is, by the way, never something to be taken lightly. A hacker who gains control of a BMC can take over a server. That gives the ability to delete stored data or spread malware.
Affected devices
Earlier this week, researchers from Binarly released a report discussing the vulnerabilities. The problems occur in the Intelligent Platform Management Interface (IPMI), which older BMCs still rely on.
Supermicro clarified the situation, disclosing that the devices affected are “specific X11, H11, B11, CMM, M11 and H12 motherboards.” The company says it is unaware of any situations in which the vulnerabilities have already been exploited.
Patches
The company made patches available immediately so as not to let the problems persist. IT administrators must install them themselves, as the patches are not provided in an automatic update.
According to the CEO of Binarly, the company that discovered the vulnerabilities, Supermicro may not be the only one affected by the problems: “This is a supply chain issue, as other BMC vendors could potentially be affected by these vulnerabilities.” The vulnerabilities stem from IPMI firmware made by ATEN, and it is also supplied to other companies. ATEN released a patch for the problem six months ago, but it never made its way into the firmware.
Also read: Supermicro turns potential into growth as major hardware vendor