Supermicro BMC vulnerabilities

If you have opted for the full build ( or use select supermicro X11, H11, B11, CMM, M11, and H12 motherboard) be aware that baseboard management consoles have newly reported vulnerabilities. This will require manual patching. New patches for X11SPH-nCTF are not yet available.

https://www.supermicro.com/en/support/security_BMC_IPMI_Oct_2023

This type of exploit is not unique to Supermicro and has allowed unkillable rootkits to be installed to HPE previously.

Best practices discourages connections to BMC over HTTP ( see https://www.supermicro.com/products/nfo/files/IPMI/Best_Practices_BMC_Security.pdf )

5 Likes

Thanks for posting this.

Definitely worth repeating that, generally, the BMC should not be accessible to the WAN, or even any more of the LAN than necessary.

1 Like

Agreed, my IPMIs are on their own VLAN

2 Likes

If we’re not using IPMI, how do we disable it to prevent possible infection?

Thanks.

Kevin

Check your motherboard for specifics. Sometimes there is a jumper that can be set to disable IPMI.

On some Supermicro boards:
In order to disable the IPMI, please login the IPMI site and select Configuration → LAN Select → Enable → Dedicated LAN (only) then click SET to save it. After that, you can un-plug the network cable at Dedicate LAN Port. That’s way, IPMI will be disable to access.

basically login to the interface and set it to local only, save it and pull the cable.

2 Likes

Thank you. That’s helpful.

Kevin

Don’t plug a cable into the IPMI socket?

3 Likes