CVE-2013-3609 - Vulnerability Details

The web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F, and X9SR* devices relies on JavaScript code on the client for authorization checks, which allows remote authenticated users to bypass intended access restrictions via a crafted request, related to the PrivilegeCallBack function.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.03052.

Key SSVC decision points have not yet been added.

Vendors	Products
Supermicro Subscribe	H8dcl-6f Subscribe H8dcl-if Subscribe H8dct-hibqf Subscribe H8dct-hln4f Subscribe H8dct-ibqf Subscribe H8dg6-f Subscribe H8dgg-qf Subscribe H8dgi-f Subscribe H8dgt-hf Subscribe H8dgt-hibqf Subscribe H8dgt-hlf Subscribe H8dgt-hlibqf Subscribe H8dgu-f Subscribe H8dgu-ln4f\+ Subscribe H8scm-f Subscribe H8sgl-f Subscribe H8sme-f Subscribe H8sml-7 Subscribe H8sml-7f Subscribe H8sml-i Subscribe H8sml-if Subscribe X7spa-hf Subscribe X7spa-hf-d525 Subscribe X7spe-h-d525 Subscribe X7spe-hf Subscribe X7spe-hf-d525 Subscribe X7spt-df-d525 Subscribe X7spt-df-d525\+ Subscribe X8dtl-3f Subscribe X8dtl-6f Subscribe X8dtl-if Subscribe X8dtn\+-f Subscribe X8dtn\+-f-lr Subscribe X8dtu-6f\+ Subscribe X8dtu-6f\+-lr Subscribe X8dtu-6tf\+ Subscribe X8dtu-6tf\+-lr Subscribe X8dtu-ln4f\+ Subscribe X8dtu-ln4f\+-lr Subscribe X8si6-f Subscribe X8sia-f Subscribe X8sie-f Subscribe X8sie-ln4f Subscribe X8sil-f Subscribe X8sit-f Subscribe X8sit-hf Subscribe X8siu-f Subscribe X9dax-7f Subscribe X9dax-7f-hft Subscribe X9dax-7tf Subscribe X9dax-if Subscribe X9dax-if-hft Subscribe X9dax-itf Subscribe X9db3-f Subscribe X9db3-tpf Subscribe X9dbi-f Subscribe X9dbi-tpf Subscribe X9dbl-3f Subscribe X9dbl-if Subscribe X9dbu-3f Subscribe X9dbu-if Subscribe X9dr3-f Subscribe X9dr3-ln4f\+ Subscribe X9dr7-ln4f Subscribe X9dr7-ln4f-jbod Subscribe X9dr7-tf\+ Subscribe X9drd-7jln4f Subscribe X9drd-7ln4f Subscribe X9drd-7ln4f-jbod Subscribe X9drd-ef Subscribe X9drd-if Subscribe X9dre-ln4f Subscribe X9dre-tf\+ Subscribe X9drff Subscribe X9drff-7 Subscribe X9drff-7\+ Subscribe X9drff-7g\+ Subscribe X9drff-7t\+ Subscribe X9drff-7tg\+ Subscribe X9drff-i\+ Subscribe X9drff-ig\+ Subscribe X9drff-it\+ Subscribe X9drff-itg\+ Subscribe X9drfr Subscribe X9drg-hf Subscribe X9drg-hf\+ Subscribe X9drg-htf Subscribe X9drg-htf\+ Subscribe X9drh-7f Subscribe X9drh-7tf Subscribe X9drh-if Subscribe X9drh-itf Subscribe X9dri-f Subscribe X9dri-ln4f\+ Subscribe X9drl-3f Subscribe X9drl-ef Subscribe X9drl-if Subscribe X9drt-f Subscribe X9drt-h6f Subscribe X9drt-h6ibff Subscribe X9drt-h6ibqf Subscribe X9drt-hf\+ Subscribe X9drt-ibff Subscribe X9drt-ibqf Subscribe X9drw-3ln4f\+ Subscribe X9drw-3tf\+ Subscribe X9drw-7tpf\+ Subscribe X9drw-itpf\+ Subscribe X9drx\+-f Subscribe X9qr7-tf Subscribe X9qr7-tf-jbod Subscribe X9qr7-tf\+ Subscribe X9qri-f Subscribe X9qri-f\+ Subscribe X9sbaa-f Subscribe X9sca-f Subscribe X9scd-f Subscribe X9sce-f Subscribe X9scff-f Subscribe X9sci-ln4f Subscribe X9scl-f Subscribe X9scl\+-f Subscribe X9scm-f Subscribe X9scm-iif Subscribe X9spu-f Subscribe X9srd-f Subscribe X9sre-3f Subscribe X9sre-f Subscribe X9srg-f Subscribe X9sri-3f Subscribe X9sri-f Subscribe X9srl-f Subscribe X9srw-f Subscribe

Configuration 1 [-]

OR	cpe:2.3:h:supermicro:h8dcl-6f:-:::::::*
	cpe:2.3:h:supermicro:h8dcl-if:-:::::::*
	cpe:2.3:h:supermicro:h8dct-hibqf:-:::::::*
	cpe:2.3:h:supermicro:h8dct-hln4f:-:::::::*
	cpe:2.3:h:supermicro:h8dct-ibqf:-:::::::*
	cpe:2.3:h:supermicro:h8dg6-f:-:::::::*
	cpe:2.3:h:supermicro:h8dgg-qf:-:::::::*
	cpe:2.3:h:supermicro:h8dgi-f:-:::::::*
	cpe:2.3:h:supermicro:h8dgt-hf:-:::::::*
	cpe:2.3:h:supermicro:h8dgt-hibqf:-:::::::*
	cpe:2.3:h:supermicro:h8dgt-hlf:-:::::::*
	cpe:2.3:h:supermicro:h8dgt-hlibqf:-:::::::*
	cpe:2.3:h:supermicro:h8dgu-f:-:::::::*
	cpe:2.3:h:supermicro:h8dgu-ln4f\+:-:::::::*
	cpe:2.3:h:supermicro:h8scm-f:-:::::::*
	cpe:2.3:h:supermicro:h8sgl-f:-:::::::*
	cpe:2.3:h:supermicro:h8sme-f:-:::::::*
	cpe:2.3:h:supermicro:h8sml-7:-:::::::*
	cpe:2.3:h:supermicro:h8sml-7f:-:::::::*
	cpe:2.3:h:supermicro:h8sml-i:-:::::::*
	cpe:2.3:h:supermicro:h8sml-if:-:::::::*
	cpe:2.3:h:supermicro:x7spa-hf:-:::::::*
	cpe:2.3:h:supermicro:x7spa-hf-d525:-:::::::*
	cpe:2.3:h:supermicro:x7spe-h-d525:-:::::::*
	cpe:2.3:h:supermicro:x7spe-hf:-:::::::*
	cpe:2.3:h:supermicro:x7spe-hf-d525:-:::::::*
	cpe:2.3:h:supermicro:x7spt-df-d525:-:::::::*
	cpe:2.3:h:supermicro:x7spt-df-d525\+:-:::::::*
	cpe:2.3:h:supermicro:x8dtl-3f:-:::::::*
	cpe:2.3:h:supermicro:x8dtl-6f:-:::::::*
	cpe:2.3:h:supermicro:x8dtl-if:-:::::::*
	cpe:2.3:h:supermicro:x8dtn\+-f:-:::::::*
	cpe:2.3:h:supermicro:x8dtn\+-f-lr:-:::::::*
	cpe:2.3:h:supermicro:x8dtu-6f\+:-:::::::*
	cpe:2.3:h:supermicro:x8dtu-6f\+-lr:-:::::::*
	cpe:2.3:h:supermicro:x8dtu-6tf\+:-:::::::*
	cpe:2.3:h:supermicro:x8dtu-6tf\+-lr:-:::::::*
	cpe:2.3:h:supermicro:x8dtu-ln4f\+:-:::::::*
	cpe:2.3:h:supermicro:x8dtu-ln4f\+-lr:-:::::::*
	cpe:2.3:h:supermicro:x8si6-f:-:::::::*
	cpe:2.3:h:supermicro:x8sia-f:-:::::::*
	cpe:2.3:h:supermicro:x8sie-f:-:::::::*
	cpe:2.3:h:supermicro:x8sie-ln4f:-:::::::*
	cpe:2.3:h:supermicro:x8sil-f:-:::::::*
	cpe:2.3:h:supermicro:x8sit-f:-:::::::*
	cpe:2.3:h:supermicro:x8sit-hf:-:::::::*
	cpe:2.3:h:supermicro:x8siu-f:-:::::::*
	cpe:2.3:h:supermicro:x9dax-7f:-:::::::*
	cpe:2.3:h:supermicro:x9dax-7f-hft:-:::::::*
	cpe:2.3:h:supermicro:x9dax-7tf:-:::::::*
	cpe:2.3:h:supermicro:x9dax-if:-:::::::*
	cpe:2.3:h:supermicro:x9dax-if-hft:-:::::::*
	cpe:2.3:h:supermicro:x9dax-itf:-:::::::*
	cpe:2.3:h:supermicro:x9db3-f:-:::::::*
	cpe:2.3:h:supermicro:x9db3-tpf:-:::::::*
	cpe:2.3:h:supermicro:x9dbi-f:-:::::::*
	cpe:2.3:h:supermicro:x9dbi-tpf:-:::::::*
	cpe:2.3:h:supermicro:x9dbl-3f:-:::::::*
	cpe:2.3:h:supermicro:x9dbl-if:-:::::::*
	cpe:2.3:h:supermicro:x9dbu-3f:-:::::::*
	cpe:2.3:h:supermicro:x9dbu-if:-:::::::*
	cpe:2.3:h:supermicro:x9dr3-f:-:::::::*
	cpe:2.3:h:supermicro:x9dr3-ln4f\+:-:::::::*
	cpe:2.3:h:supermicro:x9dr7-ln4f:-:::::::*
cpe:2.3:h:supermicro:x9dr7-ln4f-jbod:-:::::::*
cpe:2.3:h:supermicro:x9dr7-tf\+:-:::::::*
cpe:2.3:h:supermicro:x9drd-7jln4f:-:::::::*
cpe:2.3:h:supermicro:x9drd-7ln4f:-:::::::*
cpe:2.3:h:supermicro:x9drd-7ln4f-jbod:-:::::::*
cpe:2.3:h:supermicro:x9drd-ef:-:::::::*
cpe:2.3:h:supermicro:x9drd-if:-:::::::*
cpe:2.3:h:supermicro:x9dre-ln4f:-:::::::*
cpe:2.3:h:supermicro:x9dre-tf\+:-:::::::*
cpe:2.3:h:supermicro:x9drff:-:::::::*
cpe:2.3:h:supermicro:x9drff-7:-:::::::*
cpe:2.3:h:supermicro:x9drff-7\+:-:::::::*
cpe:2.3:h:supermicro:x9drff-7g\+:-:::::::*
cpe:2.3:h:supermicro:x9drff-7t\+:-:::::::*
cpe:2.3:h:supermicro:x9drff-7tg\+:-:::::::*
cpe:2.3:h:supermicro:x9drff-i\+:-:::::::*
cpe:2.3:h:supermicro:x9drff-ig\+:-:::::::*
cpe:2.3:h:supermicro:x9drff-it\+:-:::::::*
cpe:2.3:h:supermicro:x9drff-itg\+:-:::::::*
cpe:2.3:h:supermicro:x9drfr:-:::::::*
cpe:2.3:h:supermicro:x9drg-hf:-:::::::*
cpe:2.3:h:supermicro:x9drg-hf\+:-:::::::*
cpe:2.3:h:supermicro:x9drg-htf:-:::::::*
cpe:2.3:h:supermicro:x9drg-htf\+:-:::::::*
cpe:2.3:h:supermicro:x9drh-7f:-:::::::*
cpe:2.3:h:supermicro:x9drh-7tf:-:::::::*
cpe:2.3:h:supermicro:x9drh-if:-:::::::*
cpe:2.3:h:supermicro:x9drh-itf:-:::::::*
cpe:2.3:h:supermicro:x9dri-f:-:::::::*
cpe:2.3:h:supermicro:x9dri-ln4f\+:-:::::::*
cpe:2.3:h:supermicro:x9drl-3f:-:::::::*
cpe:2.3:h:supermicro:x9drl-ef:-:::::::*
cpe:2.3:h:supermicro:x9drl-if:-:::::::*
cpe:2.3:h:supermicro:x9drt-f:-:::::::*
cpe:2.3:h:supermicro:x9drt-h6f:-:::::::*
cpe:2.3:h:supermicro:x9drt-h6ibff:-:::::::*
cpe:2.3:h:supermicro:x9drt-h6ibqf:-:::::::*
cpe:2.3:h:supermicro:x9drt-hf\+:-:::::::*
cpe:2.3:h:supermicro:x9drt-ibff:-:::::::*
cpe:2.3:h:supermicro:x9drt-ibqf:-:::::::*
cpe:2.3:h:supermicro:x9drw-3ln4f\+:-:::::::*
cpe:2.3:h:supermicro:x9drw-3tf\+:-:::::::*
cpe:2.3:h:supermicro:x9drw-7tpf\+:-:::::::*
cpe:2.3:h:supermicro:x9drw-itpf\+:-:::::::*
cpe:2.3:h:supermicro:x9drx\+-f:-:::::::*
cpe:2.3:h:supermicro:x9qr7-tf:-:::::::*
cpe:2.3:h:supermicro:x9qr7-tf\+:-:::::::*
cpe:2.3:h:supermicro:x9qr7-tf-jbod:-:::::::*
cpe:2.3:h:supermicro:x9qri-f:-:::::::*
cpe:2.3:h:supermicro:x9qri-f\+:-:::::::*
cpe:2.3:h:supermicro:x9sbaa-f:-:::::::*
cpe:2.3:h:supermicro:x9sca-f:-:::::::*
cpe:2.3:h:supermicro:x9scd-f:-:::::::*
cpe:2.3:h:supermicro:x9sce-f:-:::::::*
cpe:2.3:h:supermicro:x9scff-f:-:::::::*
cpe:2.3:h:supermicro:x9sci-ln4f:-:::::::*
cpe:2.3:h:supermicro:x9scl\+-f:-:::::::*
cpe:2.3:h:supermicro:x9scl-f:-:::::::*
cpe:2.3:h:supermicro:x9scm-f:-:::::::*
cpe:2.3:h:supermicro:x9scm-iif:-:::::::*
cpe:2.3:h:supermicro:x9spu-f:-:::::::*
cpe:2.3:h:supermicro:x9srd-f:-:::::::*
cpe:2.3:h:supermicro:x9sre-3f:-:::::::*
cpe:2.3:h:supermicro:x9sre-f:-:::::::*
cpe:2.3:h:supermicro:x9srg-f:-:::::::*
cpe:2.3:h:supermicro:x9sri-3f:-:::::::*
cpe:2.3:h:supermicro:x9sri-f:-:::::::*
cpe:2.3:h:supermicro:x9srl-f:-:::::::*
cpe:2.3:h:supermicro:x9srw-f:-:::::::*

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2013-3543	The web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC, H8DG, H8SCM-F, H8SGL-F, H8SM, X7SP, X8DT, X8SI, X9DAX-, X9DB, X9DR, X9QR, X9SBAA-F, X9SC, X9SPU-F, and X9SR devices relies on JavaScript code on the client for authorization checks, which allows remote authenticated users to bypass intended access restrictions via a crafted request, related to the PrivilegeCallBack function.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.kb.cert.org/vuls/id/648646
http://www.securityfocus.com/bid/62098
http://www.supermicro.com/products/nfo/files/IPMI/CVE_Update.pdf
http://www.thomas-krenn.com/en/wiki/Supermicro_IPMI_Security_Updates_November_2013
https://support.citrix.com/article/CTX216642
https://www.usenix.org/system/files/conference/woot13/woot13-bonkoski_0.pdf

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2013-09-08T01:00:00

Updated: 2024-08-06T16:14:56.568Z

Reserved: 2013-05-21T00:00:00

Link: CVE-2013-3609

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2013-09-08T03:17:39.603

Modified: 2025-04-11T00:51:21.963

Link: CVE-2013-3609

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-20

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

Projects

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object