CWE-121: Stack-based Buffer Overflow - CVE-2013-3607

The Supermicro IPMI web interface contains multiple buffer overflows, including one in the username and password fields of the login screen. This may allow for privileged remote code execution on the Baseboard Management Controller (BMC).

CWE-20: Improper Input Validation - CVE-2013-3608
The Supermicro IPMI web interface does not properly sanitize input, which may allow an attacker to perform shell injection attacks and execute commands as a privileged user.

CWE-269: Improper Privilege Management - CVE-2013-3609
The Supermicro IPMI web interface relies on client-side privilege validation, which may allow an attacker to perform privilege escalation attacks.

This is a list of potentially vulnerable firmwares and models:

Firmware files (30): H8DGU_V250.zip, SMT_227.zip, SMT_236.zip, SMT_243.zip, SMT_250.zip, SMT_252.zip, SMT_255.zip, SMT_257.zip, SMT_SX_266.zip, SMT_V220.zip, SMT_X9_160.zip, SMT_X9_164.zip, SMT_X9_165.zip, SMT_X9_176.zip, SMT_X9_186.zip, SMT_X9_187.zip, SMT_X9_188.zip, SMT_X9_189.zip, SMT_X9_210.zip, SMT_X9_213.zip, SMT_X9_214.zip, SMT_X9_215.zip, SMT_X9_216.zip, SMT_X9_217.zip, SMT_X9_220.zip, SMT_X9_221.zip, SMT_X9_222.zip, SMT_X9_226.zip, SMT_X9_227.zip, SMT_X9DB3_V406.zip.

Names (73): IPMI_7SPA, IPMI_7SPE, IPMI_7SPT, IPMI_7SPT-DF-D525+, IPMI_8DG6, IPMI_8DGG, IPMI_8DGTH, IPMI_8DGT-HLF/HLIBQF, IPMI_8DGU, IPMI_8DGUL, IPMI_8DTL, IPMI_8DTN+, IPMI_8DTU+, IPMI_8SGL, IPMI_8SI6, IPMI_8SIA, IPMI_8SIL, IPMI_8SIT-F, IPMI_8SIT-HF, IPMI_8SIU, IPMI_8SME-F, IPMI_8SML-7/i(F), IPMI_9DAX-7/i(T)F, IPMI_9DAX-i/7F-HFT, IPMI_9DB3/i-(TP)F, IPMI_9DBL-iF/3F, IPMI_9DR3, IPMI_9DR7/E-TF+,IPMI_9DR7-LN4F, IPMI_9DRD-7LN4F-JBOD, IPMI_9DRD-IF, IPMI_9DRFF-(7), IPMI_9DRFF-7/i(T)+, IPMI_9DRFF-7/i(T)G+, IPMI_9DRFR, IPMI_9DRG, IPMI_9DRG-H, IPMI_9DRH, IPMI_9DRi,
IPMI_9DRi/3-LN4F+, IPMI_9DRL-3/iF, IPMI_9DRL-EF, IPMI_9DRT-F, IPMI_9DRT-H6, IPMI_9DRT-HF+, IPMI_9DRT-HF/HIBFF/HIBQF, IPMI_9DRW-3, IPMI_9DRW-7/iTPF+, IPMI_9DRW-7TPF, IPMI_9DRX, IPMI_9QR7/i, IPMI_9QR7-TF, IPMI_9SBAA-F, IPMI_9SCD, IPMI_9SCE-F, IPMI_9SCFF-F, IPMI_9SCI-LN4F, IPMI_9SCM, IPMI_9SCM-iiF, IPMI_9SPU-F, IPMI_9SRD-F, IPMI_9SRE/i-(3)F, IPMI_9SRG, IPMI_9SRL, IPMI_9SRW-F, IPMI_DTU4L, IPMI_H8DCL, IPMI_H8DCT, IPMI_H8DCT-H, IPMI_SCM, IPMI_X9DBU-3F/iF, IPMI_X9DR7/E-LN4F, IPMI_X9DRD-7LN4F.

Device models (135): X9SRW-F, X9SRL-F, X9SRG-F, X9SRE-3F, X9SRE-F, X9SRi-3F, X9SRi-F, X9SRD-F, X9SPU-F, X9SCM-iiF, X9SCL+-F, X9SCL-F, X9SCM-F, X9SCI-LN4F, X9SCFF-F, X9SCE-F, X9SCA-F, X9SCD-F, X9SBAA-F, X9QR7-TF, X9QR7-TF-JBOD, X9QRi-F, X9QR7-TF+, X9QRi-F+, X9DRX+-F, X9DRX+-F, X9DRW-iTPF, X9DRW-7TPF+, X9DRW-iTPF+, X9DRW-3LN4F+, X9DRW-3TF+, X9DRT-HF+, X9DRT-H6F, X9DRT-H6IBFF,
X9DRT-H6IBQF, X9DRT-F, X9DRT-IBFF, X9DRT-IBQF, X9DRL-EF, X9DRL-3F, X9DRL-iF, X9DRi-F, X9DRH-7F, X9DRH-7TF, X9DRH-iF, X9DRH-iTF, X9DRG-HF, X9DRG-HTF, X9DRG-HF+, X9DRG-HTF+, X9DRFR, X9DRFF,
X9DRFF-7, X9DRFF-7G+, X9DRFF-7TG+, X9DRFF-iG+, X9DRFF-iTG+, X9DRFF-7+, X9DRFF-7T+, X9DRFF-i+, X9DRFF-iT+, X9DRD-iF, X9DRD-7LN4F, X9DRD-EF, X9DRD-7JLN4F, X9DRD-7LN4F-JBOD, X9DR7-TF+, X9DRE-TF+, X9DR7-LN4F, X9DRE-LN4F, X9DR7-LN4F-JBOD, X9DR3-LN4F+, X9DRi-LN4F+, X9DR3-F, X9DBU-3F, X9DBU-iF, X9DBL-3F, X9DBL-iF, X9DB3-F, X9DB3-TPF, X9DBi-F, X9DBi-TPF, X9DAX-7F, X9DAX-7TF, X9DAX-iF, X9DAX-iTF, X9DAX-7F-HFT, X9DAX-iF-HFT, X8SIU-F, X8SIT-HF, X8SIT-F, X8SIL-F, X8SIA-F, X8SI6-F, X8SIE-F, X8SIE-LN4F, X8DTU-LN4F+, X8DTU-LN4F+-LR, X8DTU-6F+, X8DTU-6F+-LR, X8DTU-6TF+, X8DTU-6TF+-LR, X8DTN+-F, X8DTN+-F-LR, X8DTL-3F, X8DTL-6F, X8DTL-IF, X7SPT-DF-D525, X7SPT-DF-D525+, X7SPA-HF, X7SPA-HF-D525, X7SPE-H-D525, X7SPE-HF, X7SPE-HF-D525, H8SML-7, H8SML-7F, H8SML-i,
H8SML-iF, H8SME-F, H8SGL-F, H8SCM-F, H8DGU-LN4F+, H8DGU-F, H8DGT-HLF, H8DGT-HLIBQF, H8DGT-HF, H8DGT-HIBQF, H8DGG-QF, H8DG6-F, H8DGi-F, H8DCT-HIBQF, H8DCT-HLN4F, H8DCT-F, H8DCT-IBQF, H8DCL-6F, H8DCL-iF.

A remote unauthenticated attacker may obtain sensitive information, cause a denial of service, or execute arbitrary code as a privileged user.

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Restrict IPMI to Internal Networks
Restrict IPMI traffic to trusted internal networks. Traffic from IPMI (usually UDP port 623) should be restricted to a management VLAN segment with strong network controls. Scan for IPMI usage outside of the trusted network and monitor the trusted network for abnormal activity.