CVE-2023-28863 – CVE-2023-28863 is an insufficient verification ... (How to Fix)

Q: What is the severity of CVE-2023-28863?

CVE-2023-28863 has a CVSS score of 9.1 (CRITICAL). CVE-2023-28863 is an insufficient verification of data authenticity vulnerability in AMI MegaRAC SPx12 and SPx13 baseboard management controllers (BMCs). This allows attackers to bypass authentication mechanisms and execute arbitrary code with high privileges. Organizations using affected AMI BMC firmware versions are at risk.

📋 TL;DR

CVE-2023-28863 is an insufficient verification of data authenticity vulnerability in AMI MegaRAC SPx12 and SPx13 baseboard management controllers (BMCs). This allows attackers to bypass authentication mechanisms and execute arbitrary code with high privileges. Organizations using affected AMI BMC firmware versions are at risk.

💻 Affected Systems

Products:

AMI MegaRAC SPx12 Baseboard Management Controller
AMI MegaRAC SPx13 Baseboard Management Controller

Versions: All versions prior to SPx12 12.0.5 and SPx13 13.0.2

Operating Systems: BMC firmware - not OS dependent

Default Config Vulnerable: ⚠️ Yes

Notes: Affects servers from multiple OEM vendors using AMI BMC firmware. Check with your hardware vendor for specific affected models.

📦 What is this software?

Megarac Sp X by Ami

View all CVEs affecting Megarac Sp X →

Megarac Sp X by Ami

View all CVEs affecting Megarac Sp X →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of BMC with persistent remote code execution, enabling attackers to control server hardware, install backdoors, exfiltrate data, or cause physical damage.

🟠

Likely Case

Unauthorized access to BMC management interface leading to privilege escalation, configuration changes, and potential lateral movement to connected systems.

🟢

If Mitigated

Limited impact if network segmentation and access controls prevent external access to BMC interfaces.

🌐 Internet-Facing: HIGH - BMC interfaces exposed to internet are directly exploitable without authentication.

🏢 Internal Only: MEDIUM - Requires internal network access but exploitation is still possible once network access is obtained.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Vulnerability allows authentication bypass without credentials. Exploitation requires network access to BMC management interface (typically IPMI/RMCP+ ports).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SPx12 12.0.5 or later, SPx13 13.0.2 or later

Vendor Advisory: https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023003.pdf

Restart Required: Yes

Instructions:

1. Contact your server hardware vendor for updated BMC firmware. 2. Download appropriate firmware version for your hardware model. 3. Follow vendor-specific BMC firmware update procedures. 4. Reboot the BMC after update completion.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate BMC management interfaces from untrusted networks

# Configure firewall rules to restrict access to BMC IPMI ports (typically 623/UDP, 664/UDP)
# Example: iptables -A INPUT -p udp --dport 623 -s trusted_network -j ACCEPT
# iptables -A INPUT -p udp --dport 623 -j DROP

Access Control Lists

all

Implement strict IP-based access controls for BMC interfaces

# Configure BMC network settings to restrict management access
# Use vendor-specific BMC configuration tools to set allowed IP ranges

🧯 If You Can't Patch

Implement strict network segmentation to isolate BMC interfaces from all untrusted networks
Enable multi-factor authentication if supported and monitor BMC access logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check BMC firmware version via IPMI tool: ipmitool mc info | grep 'Firmware Revision' or through vendor-specific management interface

Check Version:

ipmitool mc info | grep -i 'firmware\|version'

Verify Fix Applied:

Confirm firmware version is SPx12 12.0.5+ or SPx13 13.0.2+ using same version check methods

📡 Detection & Monitoring

Log Indicators:

Unauthorized authentication attempts on BMC interface
Unexpected firmware version changes
Multiple failed login attempts followed by successful access

Network Indicators:

Unusual traffic to BMC management ports (623/UDP, 664/UDP) from unexpected sources
RMCP+ protocol anomalies

SIEM Query:

source="BMC_logs" AND (event_type="authentication_failure" OR event_type="firmware_update") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-28863

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-345

Published: April 18, 2023

Last Updated: November 21, 2024

🔗 References

https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023003.pdf Vendor Advisory
https://ami.com Product
https://www.kb.cert.org/vuls/id/163057
https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023003.pdf Vendor Advisory
https://ami.com Product
https://www.kb.cert.org/vuls/id/163057

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28863, you might also want to check these: