CVE-2019-16649
10.0 CRITICAL
📋 TL;DR
This vulnerability in Supermicro BMC firmware allows attackers to capture BMC credentials and data transferred over virtual media devices due to encryption and authentication flaws. Attackers can then use these credentials to remotely connect virtual USB devices to servers managed by the BMC. Affected products include Supermicro H11, H12, M11, X9, X10, and X11 series servers with vulnerable BMC firmware.
💻 Affected Systems
Products:
- Supermicro H11
- H12
- M11
- X9
- X10
- X11 series servers
Versions: BMC firmware versions prior to patched versions (varies by model)
Operating Systems: Any OS running on affected servers
Default Config Vulnerable:
⚠️ Yes
Notes: Requires virtual media service to be enabled (often default).
📦 What is this software?
B10drc Firmware by Supermicro
B10drc N Firmware by Supermicro
B10dri Firmware by Supermicro
B10dri N Firmware by Supermicro
B10drt Firmware by Supermicro
B11dpe Firmware by Supermicro
B11dpt Firmware by Supermicro
B11qpi Firmware by Supermicro
B1sd1 Tf Firmware by Supermicro
B1sd2 Tf Firmware by Supermicro
B2ss1 Cf Firmware by Supermicro
B2ss1 F Firmware by Supermicro
B2ss2 F Firmware by Supermicro
B9dr7 Firmware by Supermicro
B9drg 3m Firmware by Supermicro
B9drg E Firmware by Supermicro
B9drg Firmware by Supermicro
B9dri Firmware by Supermicro
B9drp Firmware by Supermicro
B9drt Firmware by Supermicro
X10dbt T Firmware by Supermicro
X10ddw I Firmware by Supermicro
X10dgo T Firmware by Supermicro
X10dgq Firmware by Supermicro
X10drd I Firmware by Supermicro
X10drd L Firmware by Supermicro
X10drff Firmware by Supermicro
X10drfr Firmware by Supermicro
X10drg H Firmware by Supermicro
X10drg Q Firmware by Supermicro
X10drh C Firmware by Supermicro
X10drh I Firmware by Supermicro
X10dri Firmware by Supermicro
X10dri T Firmware by Supermicro
X10drl C Firmware by Supermicro
X10drl I Firmware by Supermicro
X10drs Firmware by Supermicro
X10drt H Firmware by Supermicro
X10drt L Firmware by Supermicro
X10drt P Firmware by Supermicro
X10dru X Firmware by Supermicro
X10drw E Firmware by Supermicro
X10drw I Firmware by Supermicro
X10drw N Firmware by Supermicro
X10drx Firmware by Supermicro
X10dsc\+ Firmware by Supermicro
X10qbi Firmware by Supermicro
X10qbl 4 Firmware by Supermicro
X10qbl Firmware by Supermicro
X10qrh\+ Firmware by Supermicro
X10sae Firmware by Supermicro
X10sat Firmware by Supermicro
X10sdd F Firmware by Supermicro
X10sdv F Firmware by Supermicro
X10sl7 F Firmware by Supermicro
X10sla F Firmware by Supermicro
X10sld F Firmware by Supermicro
X10sle F Firmware by Supermicro
X10slh F Firmware by Supermicro
X10sll F Firmware by Supermicro
X10sll F Firmware by Supermicro
X10sll S Firmware by Supermicro
X10slm F Firmware by Supermicro
X10slm F Firmware by Supermicro
X10slx F Firmware by Supermicro
X10sra F Firmware by Supermicro
X10sra Firmware by Supermicro
X10srd F Firmware by Supermicro
X10srg F Firmware by Supermicro
X10sri F Firmware by Supermicro
X10srl F Firmware by Supermicro
X10srl F Firmware by Supermicro
X10srm F Firmware by Supermicro
X10srw F Firmware by Supermicro
X11dac Firmware by Supermicro
X11dai N Firmware by Supermicro
X11ddw L Firmware by Supermicro
X11dgo T Firmware by Supermicro
X11dgq Firmware by Supermicro
X11dph I Firmware by Supermicro
X11dph T Firmware by Supermicro
X11dpi N Firmware by Supermicro
X11dpl I Firmware by Supermicro
X11dpt B Firmware by Supermicro
X11dpt L Firmware by Supermicro
X11dpu Firmware by Supermicro
X11dpu V Firmware by Supermicro
X11dpu X Firmware by Supermicro
X11dpx T Firmware by Supermicro
X11dsc Firmware by Supermicro
X11dsf E Firmware by Supermicro
X11qph\+ Firmware by Supermicro
X11sca F Firmware by Supermicro
X11sca Firmware by Supermicro
X11sca W Firmware by Supermicro
X11scd F Firmware by Supermicro
X11sch F Firmware by Supermicro
X11scl F Firmware by Supermicro
X11scm F Firmware by Supermicro
X11scw F Firmware by Supermicro
X11spa T Firmware by Supermicro
X11spl F Firmware by Supermicro
X11spm F Firmware by Supermicro
X11srl F Firmware by Supermicro
X11srm F Firmware by Supermicro
X11ssd F Firmware by Supermicro
X11sse F Firmware by Supermicro
X11ssh F Firmware by Supermicro
X11ssl F Firmware by Supermicro
X11ssl Firmware by Supermicro
X11ssm F Firmware by Supermicro
X11ssm Firmware by Supermicro
X11ssw F Firmware by Supermicro
X11ssw F Firmware by Supermicro
X9da7\/e Firmware by Supermicro
X9dai Firmware by Supermicro
X9drd Ef Firmware by Supermicro
X9drfr Firmware by Supermicro
X9drg Qf Firmware by Supermicro
X9qr7 Tf Firmware by Supermicro
X9qr7 Tf Firmware by Supermicro
X9qri F Firmware by Supermicro
X9qri F Firmware by Supermicro
X9sra Firmware by Supermicro
X9srd F Firmware by Supermicro
X9srg F Firmware by Supermicro
X9srw F Firmware by Supermicro
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to install malware, exfiltrate data, or cause physical damage through virtual USB device connections.
Likely Case
Credential theft leading to unauthorized BMC access and potential server manipulation.
If Mitigated
Limited impact if network segmentation and strong authentication are in place.
🌐 Internet-Facing: HIGH - BMC interfaces exposed to internet are directly exploitable.
🏢 Internal Only: HIGH - Internal attackers can exploit this to gain privileged access.
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
CONFIRMED
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
Exploit tools available on GitHub. Attack requires network access to BMC interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by model - check Supermicro security advisory for specific versions
Vendor Advisory: https://www.supermicro.com/support/security_BMC_virtual_media.cfm
Restart Required: Yes
Instructions:
1. Identify server model and current BMC firmware version. 2. Download appropriate patched firmware from Supermicro support site. 3. Update BMC firmware following Supermicro documentation. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Disable Virtual Media Service
linuxTemporarily disable the vulnerable virtual media service until patching can be completed.
ipmitool raw 0x32 0x6a 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Network Segmentation
allIsolate BMC management interfaces from untrusted networks.
🧯 If You Can't Patch
- Implement strict network access controls to BMC interfaces
- Disable virtual media service entirely if not required
🔍 How to Verify
Check if Vulnerable:
Check BMC firmware version against Supermicro's patched versions list. Use ipmitool: ipmitool mc info | grep 'Firmware Revision'Check Version:
ipmitool mc info | grep 'Firmware Revision'Verify Fix Applied:
Verify BMC firmware version matches patched version from Supermicro advisory. Test virtual media functionality to ensure it still works securely.📡 Detection & Monitoring
Log Indicators:
- Unusual virtual media connection attempts in BMC logs
- Failed authentication attempts followed by successful connections
Network Indicators:
- Unexpected traffic to BMC virtual media ports (typically 623/UDP, 5900/TCP)
- Network scans targeting BMC interfaces
SIEM Query:
source="BMC_logs" AND ("virtual media" OR "USB redirection") AND status="success"🔗 References
- https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack/
- https://github.com/eclypsium/USBAnywhere
- https://www.supermicro.com/support/security_BMC_virtual_media.cfm
- https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack/
- https://github.com/eclypsium/USBAnywhere
- https://www.supermicro.com/support/security_BMC_virtual_media.cfm
