Supermicro BMC vulnerabilities

daemon1001 · October 5, 2023, 1:50am

If you have opted for the full build ( or use select supermicro X11, H11, B11, CMM, M11, and H12 motherboard) be aware that baseboard management consoles have newly reported vulnerabilities. This will require manual patching. New patches for X11SPH-nCTF are not yet available.

https://www.supermicro.com/en/support/security_BMC_IPMI_Oct_2023

This type of exploit is not unique to Supermicro and has allowed unkillable rootkits to be installed to HPE previously.

Best practices discourages connections to BMC over HTTP ( see https://www.supermicro.com/products/nfo/files/IPMI/Best_Practices_BMC_Security.pdf )

SinisterPisces · October 5, 2023, 2:36am

Thanks for posting this.

Definitely worth repeating that, generally, the BMC should not be accessible to the WAN, or even any more of the LAN than necessary.

Bill · October 6, 2023, 1:42pm

Agreed, my IPMIs are on their own VLAN

kolepard · October 7, 2023, 11:34pm

If we’re not using IPMI, how do we disable it to prevent possible infection?

Thanks.

Kevin

daemon1001 · October 8, 2023, 4:05am

Check your motherboard for specifics. Sometimes there is a jumper that can be set to disable IPMI.

On some Supermicro boards:
In order to disable the IPMI, please login the IPMI site and select Configuration → LAN Select → Enable → Dedicated LAN (only) then click SET to save it. After that, you can un-plug the network cable at Dedicate LAN Port. That’s way, IPMI will be disable to access.

basically login to the interface and set it to local only, save it and pull the cable.

kolepard · October 10, 2023, 7:06pm

Thank you. That’s helpful.

Kevin

Bill · October 18, 2023, 6:29pm

Don’t plug a cable into the IPMI socket?