Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Vulnerabilities in Supermicro BMC Firmware

Back in December last year, we reported on vulnerabilities in the AMI MegaRAC software which runs on the baseboard management controller circuitry of many servers in order to provide server management in data centers. Only a month later came news that two other vulnerabilities had been discovered at the same time by security firm Eclypsium, who had given AMI time to develop mitigations.

Now it's Supermicro's turn in the barrel, accordint to a new report from Binarly who have examined the firmware for Supermicro X11 v 1.66, discovering seven vulnerabilities:

• CVE-2023-40289 - a command injection vulnerability in the BMC server back end (CVSS 3.x score 9.1, Critical)
• CVE-2023-40284 - a cross-site scripting vulnerability in the BMC server front end (CVSS 3.x score 9.6, Critical)
• CVE-2023-40287 - a cross-site scripting vulnerability in the BMC server front end (CVSS 3.x score 9.6, Critical)
• CVE-2023-40288 - a cross-site scripting vulnerability in the BMC server front end (CVSS 3.x score 9.6, Critical)
• CVE-2023-40290 - a cross-site scripting vulnerability in the BMC server front end (CVSS 3.x score 8.3, High)
• CVE-2023-40285 - a cross-site scripting vulnerability in the BMC server front end (CVSS 3.x score 8.6, High)
• CVE-2023-40286 - a cross-site scripting vulnerability in the BMC server front end (CVSS 3.x score 8.6, High)

(At time of writing, most of those vulnerabilities are not yet in the National Vulnerability Database.)

The first vulnerability allows an authenticated attacker to gain root access and completely compromise the system, persisting through BMC reboots and leading to lateral movement within the data center infrastructure. The next three cross-site scripting vulnerabilities allow allow execution of arbitrary JavaScript code in the context of a logged-in BMC user, leading to privilege escalation via creation of a new admin account and - hey presto! - CVE-2023-40289 is now available.

The remaining three XSS vulnerabilities also allow execution of arbitrary JavaScript code, but depend on additional conditions to succeed, making them more difficult. However, these seven vulnerabilities collectively offer a chain which can lead to exploitation of the server OS via legitimate iKVM BMC functionality or by flashing the UEFI BIOS of the target system with malicious firmware to achieve persistence.

Binarly are highly critical of Supermicro's response, claiming the firm's calculations of lower CVSS scores reflect a misguided attempt to minimise the impact of the vulnerabilities. Supermicro customers are urged to patch their systems as soon as possible, and also to follow the advice in the NSA's information sheet on BMC hardening.

Binarly Research Team, Binarly REsearch Uncovers Major Vulnerabilities in Supermicro BMCs, blog post 3 October 2023. Available online at https://binarly.io/posts/Binarly_REsearch_Uncovers_Major_Vulnerabilities_in_Supermicro_BMCs/index.html.

National Security Agency / Central Security Service, NSA and CISA Release Guide to Protect Baseboard Management Controllers, press release, 14 June 2023. Available online at https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3426648/nsa-and-cisa-release-guide-to-protect-baseboard-management-controllers/.

NSA and CISA, Harden Baseboard Management Controllers, cybersecurity information sheet, June 2023. Available online at https://media.defense.gov/2023/Jun/14/2003241405/-1/-1/0/CSI_HARDEN_BMCS.PDF.

Trend Micro Offers Managers a Guide to Cybersecurity Risk Assessment

Security firm Trend Micro has published an article on risk management which won't tell information risk management professionals anything they don't know, but is a nice introduction to send to busy managers who need to appreciate the basics. It ends with a gentle pitch for the firm's Vision One EDR/XDR product, as one might expect, but is easily readable and contains some links to other relevant non-technical articles on, e.g. cyber risk quantification.

Clay, Jon, A Cybersecurity Risk Assessment Guide for Leaders, blog post, 5 October 2023. Available online at https://www.trendmicro.com/en_us/ciso/23/b/cybersecurity-risk-assessment.html.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024
  

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.