Vulnerability CVE-2019-16649


Published: 2019-09-20   Modified: 2019-09-21

Description:
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.

Type:

CWE-798

Vendor: Supermicro
Product: X11ssw-f firmware 
Version: 3.85.00;
Product: X10sle-f firmware 
Version: 3.83;
Product: A1sri-2358f firmware 
Version: 3.83;
Product: X10drff-c firmware 
Version: 3.83;
Product: X10drt-h firmware 
Version: 3.83;
Product: X10sl7-f firmware 
Version: 3.83;
Product: A1sa2-2750f firmware 
Version: 3.83;
Product: X10drd-it firmware 
Version: 3.83;
Product: X10drl-i firmware 
Version: 3.83;
Product: X10obi-cpu firmware 
Version: 3.83;
Product: X10sdv-8c-tln4f+ firmware 
Version: 3.83;
Product: X10drc-ln4+ firmware 
Version: 3.83;
Product: X10dri-t4+ firmware 
Version: 3.83;
Product: X10drw-n firmware 
Version: 3.83;
Product: X10sdv-6c+-tln4f firmware 
Version: 3.83;
Product: X10sri-f firmware 
Version: 3.83;
Product: X10dbt-t firmware 
Version: 3.83;
Product: X10drh-ct firmware 
Version: 3.83;
Product: X10dru-xll firmware 
Version: 3.83;
Product: X10sdv-4c+-tln4f firmware 
Version: 3.83;
Product: X10sra firmware 
Version: 3.83;
Product: X10drg-o+-cpu firmware 
Version: 3.83;
Product: X10sdv-16c-tln4f firmware 
Version: 3.83;
Product: X10slm+-f firmware 
Version: 3.83;
Product: A1srm-ln7f-2758 firmware 
Version: 3.83;
Product: X10drfr-nt firmware 
Version: 3.83;
Product: X10drt-pibq firmware 
Version: 3.83;
Product: X10sdv-12c+-tln4f firmware 
Version: 3.83;
Product: X10slh-f firmware 
Version: 3.83;
Product: A1sri-2758f firmware 
Version: 3.83;
Product: X10drff-ctg firmware 
Version: 3.83;
Product: X10drt-l firmware 
Version: 3.83;
Product: X10sae firmware 
Version: 3.83;
Product: X10sld-f firmware 
Version: 3.83;
Product: A1sai-2750f firmware 
Version: 3.83;
Product: X10drd-l firmware 
Version: 3.83;
Product: X10drl-ln4 firmware 
Version: 3.83;
Product: X10sdv-f firmware 
Version: 3.83;
Product: X10drd-i firmware 
Version: 3.83;
Product: X10dri firmware 
Version: 3.83;
Product: X10drx firmware 
Version: 3.83;
Product: X10sdv-7tp4f firmware 
Version: 3.83;
Product: X10srm-f firmware 
Version: 3.83;
Product: X10ddw-in firmware 
Version: 3.83;
Product: X10drh-iln4 firmware 
Version: 3.83;
Product: X10drw-et firmware 
Version: 3.83;
Product: X10sdv-4c-7tp4f firmware 
Version: 3.83;
Product: X10srg-f firmware 
Version: 3.83;
Product: X10drg-q firmware 
Version: 3.83;
Product: X10sdv-2c-tln2f firmware 
Version: 3.83;
Product: X10slm-f firmware 
Version: 3.83;
Product: X10drfr firmware 
Version: 3.83;
Product: X10drt-pt firmware 
Version: 3.83;
Product: X10sdv-12c-tln4f firmware 
Version: 3.83;
Product: X10sll-f firmware 
Version: 3.83;
Product: A1srm-2758f firmware 
Version: 3.83;
Product: X10drff-itg firmware 
Version: 3.83;
Product: X10drt-libq firmware 
Version: 3.83;
Product: X10sle-df firmware 
Version: 3.83;
Product: A1sam-2750f firmware 
Version: 3.83;
Product: X10drd-ltp firmware 
Version: 3.83;
Product: X10drt-b+ firmware 
Version: 3.83;
Product: X10sdv-tp8f firmware 
Version: 3.83;
Product: X10drd-intp firmware 
Version: 3.83;
Product: X10drl-ct firmware 
Version: 3.83;
Product: X10dsn-ts firmware 
Version: 3.83;
Product: X10sdv-8c+-ln2f firmware 
Version: 3.83;
Product: X10srw-f firmware 
Version: 3.83;
Product: X10dgq firmware 
Version: 3.83;
Product: X10dri-ln4+ firmware 
Version: 3.83;
Product: X10drw-it firmware 
Version: 3.83;
Product: X10sdv-4c-tln4f firmware 
Version: 3.83;
Product: X10srh-cln4f firmware 
Version: 3.83;
Product: X10drh-cln4 firmware 
Version: 3.83;
Product: X10dru-x firmware 
Version: 3.83;
Product: X10sdv-2c-tp8f firmware 
Version: 3.83;
Product: X10sra-f firmware 
Version: 3.83;
Product: X10drg-ht firmware 
Version: 3.83;
Product: X10sdv-16c-tln4f+ firmware 
Version: 3.83;
Product: X10sll-sf firmware 
Version: 3.83;
Product: A1srm-ln7f-2358 firmware 
Version: 3.83;
Product: X10drfr-n firmware 
Version: 3.83;
Product: X10drt-pibf firmware 
Version: 3.83;
Product: X10sle-hf firmware 
Version: 3.83;
Product: A1sri-2558f firmware 
Version: 3.83;
Product: X10drff-cg firmware 
Version: 3.83;
Product: X10drt-hibf firmware 
Version: 3.83;
Product: X10sla-f firmware 
Version: 3.83;
Product: A1sai-2550f firmware 
Version: 3.83;
Product: X10drd-itp firmware 
Version: 3.83;
Product: X10drl-it firmware 
Version: 3.83;
Product: X10sdv-8c-tln4f firmware 
Version: 3.83;
Product: X10drc-t4+ firmware 
Version: 3.83;
Product: X10dri-t firmware 
Version: 3.83;
Product: X10drw-nt firmware 
Version: 3.83;
Product: X10sdv-6c-tln4f firmware 
Version: 3.83;
Product: X10srl-f firmware 
Version: 3.83;
Product: X10ddw-i firmware 
Version: 3.83;
Product: X10drh-i firmware 
Version: 3.83;
Product: X10drw-e firmware 
Version: 3.83;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack/
https://github.com/eclypsium/USBAnywhere
https://www.supermicro.com/support/security_BMC_virtual_media.cfm

Related CVE
CVE-2019-16650
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media servi...
CVE-2019-13131
Super Micro SuperDoctor 5, when restrictions are not implemented in agent.cfg, allows remote attackers to execute arbitrary commands via NRPE.
CVE-2018-13787
Certain Supermicro X11S, X10, X9, X8SI, K1SP, C9X299, C7, B1, A2, and A1 products have a misconfigured Descriptor Region, allowing OS programs to modify firmware.
CVE-2013-3623
Multiple stack-based buffer overflows in cgi/close_window.cgi in the web interface in the Intelligent Platform Management Interface (IPMI) with firmware before 3.15 (SMT_X9_315) on Supermicro X9 generation motherboards allow remote attackers to execu...
CVE-2013-3622
Buffer overflow in logout.cgi in the Intelligent Platform Management Interface (IPMI) with firmware before 3.15 (SMT_X9_315) on Supermicro X9 generation motherboards allows remote authenticated users to execute arbitrary code via the SID parameter.
CVE-2013-3609
The web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F, and X9SR* devices relies on Jav...
CVE-2013-3608
The web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F, and X9SR* devices allows remote...
CVE-2013-3607
Multiple stack-based buffer overflows in the web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*,...

Copyright 2019, cxsecurity.com

 

Back to Top