Access Control Flaw in Supermicro X10 and X11 Products
CVE-2019-16650

10CRITICAL

Key Information:

Vendor

Supermicro

Status
X11dai-n Firmware
Vendor
CVE Published:
21 September 2019

What is CVE-2019-16650?

On Supermicro X10 and X11 products, a flaw exists where client access privileges can be mistakenly transferred to another client connecting through the same socket file descriptor number. This vulnerability allows an attacker to exploit the virtual media service by connecting virtual USB devices to the server managed by the Baseboard Management Controller (BMC). Exploiting this vulnerability could enable unauthorized access to sensitive systems, thereby posing a significant risk to data integrity and system security.

References

https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerab...
x_refsource_MISC
https://github.com/eclypsium/USBAnywhere
x_refsource_MISC
https://www.supermicro.com/support/security_BMC_virtual_m...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2019-16650 : Access Control Flaw in Supermicro X10 and X11 Products