Researchers have identified vulnerabilities in the Virtual Media function of Supermicro BMCs.
BMC/IPMI Virtual Media is a feature of the Virtual Console that enables users to attach a CD/DVD image to the server as a virtual CD/DVD drive. These vulnerabilities include plaintext authentication, weak encryption, and authentication bypass within the Virtual Media capabilities. Identified by researchers in the lab, the vulnerabilities have not been reported in a customer environment.
Industry best practice is operating BMCs on an isolated private network not exposed to the internet, which would reduce, but not eliminate the identified exposure.
Another potential interim remediation is to disable Virtual Media by blocking TCP port 623 and then upgrade to the latest security fix for BMC/IPMI firmware at a later date.
New versions of the BMC software address these vulnerabilities. Check below for details on specific products.
View table that shows affected X11, X10, X9 Supermicro products.