Strix
26.1K

CVE-2019-16649

CRITICALCVSS 10/10EPSS 0.92%

Last modified

CVE-2019-16649 is a critical-severity vulnerability rated 10/10 on the CVSS scale. On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.. EPSS estimates a 0.92% chance of exploitation in the next 30 days.

Description

On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.

Metrics

CVSS 3.1
10/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Probability
0.92%

55.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
SupermicroX11dai-N Firmware1.71.5
SupermicroX11dac Firmware1.71.5
SupermicroX11dph-Tq Firmware1.71.5
SupermicroX11dph-I Firmware1.71.5
SupermicroX11dph-T Firmware1.71.5
SupermicroX11dps-Re Firmware1.71.5
SupermicroX11dsf-E Firmware1.71.5
SupermicroX11dsn-Ts Firmware1.71.5
SupermicroX11dsn-Tsq Firmware1.71.5
SupermicroX11dsc\+ Firmware1.74
SupermicroX11ddw-Nt Firmware1.71.5
SupermicroX11ddw-L Firmware1.71.5
SupermicroX11dgq Firmware1.71.5
SupermicroX11dpff-Sn Firmware1.71.5
SupermicroX11dpfr-Sn Firmware1.71.5
SupermicroX11dpfr-S Firmware1.71.5
SupermicroX11dpt-Ps Firmware1.71.5
SupermicroX11dpt-B Firmware1.71.5
SupermicroX11dpt-Bh Firmware1.71.5
SupermicroX11dpt-L Firmware3.74
SupermicroX11dpu Firmware1.71.5
SupermicroX11dpu-V Firmware1.71.5
SupermicroX11dpu-X Firmware1.71.5
SupermicroX11dpu-Xll Firmware1.71.5
SupermicroX11dpu-Z\+ Firmware1.71.5
SupermicroX11dpu-Ze\+ Firmware1.71.5
SupermicroX11dpg-Sn Firmware1.71.5
SupermicroX11dpg-Qt Firmware1.71.5
SupermicroX11dpg-Ot-Cpu Firmware1.71.5
SupermicroX11dpi-Nt Firmware1.71.5
SupermicroX11dpi-N Firmware1.71.5
SupermicroX11dpl-I Firmware1.71.5
SupermicroX11dpx-T Firmware1.71.5
SupermicroX11dgo-T Firmware1.71.5
SupermicroX11sca Firmware1.71.5
SupermicroX11sca-F Firmware1.71.5
SupermicroX11sch-F Firmware1.23.2
SupermicroX11sch-Ln4f Firmware1.23.2
SupermicroX11sca-W Firmware1.71.5
SupermicroX11scl-F Firmware1.23.2
SupermicroX11scl-Ln4f Firmware1.23.2
SupermicroX11scl-If Firmware1.23.2
SupermicroX11scm-F Firmware1.23.2
SupermicroX11scm-Ln8f Firmware1.23.2
SupermicroX11scw-F Firmware3.75.00
SupermicroX11spa-T Firmware1.71.5
SupermicroX11spa-Tf Firmware1.71.5
SupermicroX11spi-Tf Firmware1.71.6
SupermicroX11spl-F Firmware1.71.6
SupermicroX11spm-F Firmware1.71.6

Showing 50 of 337 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-16649?
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.
How severe is CVE-2019-16649?
CVE-2019-16649 has a CVSS score of 10/10 (CRITICAL severity). The EPSS model estimates a 0.92% probability of exploitation in the next 30 days.
How do I fix CVE-2019-16649?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-16649?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST