Command Injection Vulnerability in Supermicro IPMI Products
CVE-2013-3608

Currently unrated

Key Information:

Vendor: Supermicro
Status: X7spt-df-d525\+; X7spa-hf-d525; H8sgl-f; X9scd-f
Vendor: CVE Published:; 8 September 2013

What is CVE-2013-3608?

The web interface of the Intelligent Platform Management Interface (IPMI) on certain Supermicro devices allows authenticated remote users to execute arbitrary commands. This is achieved through the manipulation of input fields, specifically demonstrated via shell metacharacters in the IP address field of config_date_time.cgi. This vulnerability can lead to unauthorized command execution on affected systems, highlighting a significant security risk for users and administrators.

References

http://www.kb.cert.org/vuls/id/648646

third-party-advisoryx_refsource_CERT-VN

http://www.supermicro.com/products/nfo/files/IPMI/CVE_Upd...

x_refsource_CONFIRM

https://www.usenix.org/system/files/conference/woot13/woo...

x_refsource_MISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 8, 2013
Vulnerability Reserved
May 21, 2013