Encryption and Authentication Issues in Supermicro BMC Virtual Media Services
CVE-2019-16649

10CRITICAL

Key Information:

Vendor

Supermicro

Status
X11dai-n Firmware
Vendor
CVE Published:
21 September 2019

What is CVE-2019-16649?

The virtual media service of Supermicro's BMC across various server models is vulnerable due to flaws in encryption and authentication methods. This vulnerability allows attackers to capture sensitive BMC credentials and any data being transferred through virtual media devices. By exploiting this weakness, an attacker could connect malicious virtual USB devices to the affected server, potentially leading to unauthorized access and manipulation of server operations.

References

https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerab...
x_refsource_MISC
https://github.com/eclypsium/USBAnywhere
x_refsource_MISC
https://www.supermicro.com/support/security_BMC_virtual_m...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2019-16649 : Encryption and Authentication Issues in Supermicro BMC Virtual Media Services