CVSS: 7.2EPSS: 0%CPEs: 220EXPL: 0CVE-2018-13787
https://notcve.org/view.php?id=CVE-2018-13787
Certain Supermicro X11S, X10, X9, X8SI, K1SP, C9X299, C7, B1, A2, and A1 products have a misconfigured Descriptor Region, allowing OS programs to modify firmware. Ciertos productos Supermicro X11S, X10, X9, X8SI, K1SP, C9X299, C7, B1, A2 y A1 tienen un error de configuración en el descriptor de región, lo que permite que los programas del sistema operativo modifiquen el firmware. • https://blog.eclypsium.com/2018/06/07/firmware-vulnerabilities-in-supermicro-systems https://www.bleepingcomputer.com/news/security/firmware-vulnerabilities-disclosed-in-supermicro-server-products https://www.supermicro.com/support/security_Intel-SA-00088.cfm?pg=X10#tab •
CVSS: 10.0EPSS: 3%CPEs: 133EXPL: 1CVE-2013-3608
https://notcve.org/view.php?id=CVE-2013-3608
The web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F, and X9SR* devices allows remote authenticated users to execute arbitrary commands via shell metacharacters, as demonstrated by the IP address field in config_date_time.cgi. La interfaz web en la implementación Intelligent Platform Management Interface (IPMI) en dispositivos Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F y X9SR* permite a usuarios remotos autenticados ejecutar comandos arbitrarios a través de metacaracteres de shell, según lo demostrado por el campo de dirección IP en config_date_time.cgi. • http://www.kb.cert.org/vuls/id/648646 http://www.securityfocus.com/bid/62097 http://www.supermicro.com/products/nfo/files/IPMI/CVE_Update.pdf http://www.thomas-krenn.com/en/wiki/Supermicro_IPMI_Security_Updates_November_2013 https://support.citrix.com/article/CTX216642 https://www.usenix.org/system/files/conference/woot13/woot13-bonkoski_0.pdf • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 9%CPEs: 133EXPL: 1CVE-2013-3607
https://notcve.org/view.php?id=CVE-2013-3607
Multiple stack-based buffer overflows in the web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F, and X9SR* devices allow remote attackers to execute arbitrary code on the Baseboard Management Controller (BMC), as demonstrated by the (1) username or (2) password field in login.cgi. Multiples desbordamientos de buffer basados en pila en la interfaz web de la implementación de Intelligent Platform Management Interface (IPMI) en dispositivos Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F, y X9SR* permite a atacantes remotos ejecutar código arbitrario en el Baseboard Management Controller (BMC), como se muestra en el campo de (1) usuario o (2) contraseña en login.cgi. • http://www.kb.cert.org/vuls/id/648646 http://www.securityfocus.com/bid/62094 http://www.supermicro.com/products/nfo/files/IPMI/CVE_Update.pdf http://www.thomas-krenn.com/en/wiki/Supermicro_IPMI_Security_Updates_November_2013 https://support.citrix.com/article/CTX216642 https://www.usenix.org/system/files/conference/woot13/woot13-bonkoski_0.pdf • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 10.0EPSS: 1%CPEs: 133EXPL: 1CVE-2013-3609
https://notcve.org/view.php?id=CVE-2013-3609
The web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F, and X9SR* devices relies on JavaScript code on the client for authorization checks, which allows remote authenticated users to bypass intended access restrictions via a crafted request, related to the PrivilegeCallBack function. La interfaz web en la implementación Intelligent Platform Management Interface (IPMI) en dispositivos Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F y X9SR* confie en el código JavaScript en el cliente para comprobaciones de autorización, lo que permite a usuarios remotos autenticados eludir las restricciones destinadas al acceso a través de una solicitud manipulada, relacionado con la función PrivilegeCallBack. • http://www.kb.cert.org/vuls/id/648646 http://www.securityfocus.com/bid/62098 http://www.supermicro.com/products/nfo/files/IPMI/CVE_Update.pdf http://www.thomas-krenn.com/en/wiki/Supermicro_IPMI_Security_Updates_November_2013 https://support.citrix.com/article/CTX216642 https://www.usenix.org/system/files/conference/woot13/woot13-bonkoski_0.pdf • CWE-20: Improper Input Validation •