CVE-2019-16649

CWE-287 — Improper Authentication CWE-326 CWE-522 — Insufficiently Protected Credentials3 documents3 sources

Severity

10.0CRITICAL

EPSS

0.1%

top 72.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

336

Supermicro A1sa2-2750f Firmware Supermicro A1sai-2550f Firmware Supermicro A1sai-2750f Firmware +333 more

Timeline

PublishedSep 21

Latest updateMay 24

Description

On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages336 packages

▶NVDsupermicro/b9dr7_firmware3.3

▶NVDsupermicro/b9drg_firmware3.3

▶NVDsupermicro/b9dri_firmware3.3

▶NVDsupermicro/b9drp_firmware3.3

▶NVDsupermicro/b9drt_firmware3.3

🔴Vulnerability Details

GHSA

GHSA-w4w7-g55h-mxxx: On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows ca↗2022-05-24

▶

CVEList

CVE-2019-16649: On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows ca↗2019-09-21

▶