Strix
26.1K

CVE-2019-16650

CRITICALCVSS 10/10EPSS 2.16%

Last modified

CVE-2019-16650 is a critical-severity vulnerability rated 10/10 on the CVSS scale. On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the server managed by the BMC.. EPSS estimates a 2.16% chance of exploitation in the next 30 days.

Description

On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the server managed by the BMC.

Metrics

CVSS 3.1
10/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Probability
2.16%

79.9th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
SupermicroX11dai-N Firmware1.71.5
SupermicroX11dac Firmware1.71.5
SupermicroX11dph-Tq Firmware1.71.5
SupermicroX11dph-I Firmware1.71.5
SupermicroX11dph-T Firmware1.71.5
SupermicroX11dps-Re Firmware1.71.5
SupermicroX11dsf-E Firmware1.71.5
SupermicroX11dsn-Ts Firmware1.71.5
SupermicroX11dsn-Tsq Firmware1.71.5
SupermicroX11dsc\+ Firmware1.74
SupermicroX11ddw-Nt Firmware1.71.5
SupermicroX11ddw-L Firmware1.71.5
SupermicroX11dgq Firmware1.71.5
SupermicroX11dpff-Sn Firmware1.71.5
SupermicroX11dpfr-Sn Firmware1.71.5
SupermicroX11dpfr-S Firmware1.71.5
SupermicroX11dpt-Ps Firmware1.71.5
SupermicroX11dpt-B Firmware1.71.5
SupermicroX11dpt-Bh Firmware1.71.5
SupermicroX11dpt-L Firmware3.74
SupermicroX11dpu Firmware1.71.5
SupermicroX11dpu-V Firmware1.71.5
SupermicroX11dpu-X Firmware1.71.5
SupermicroX11dpu-Xll Firmware1.71.5
SupermicroX11dpu-Z\+ Firmware1.71.5
SupermicroX11dpu-Ze\+ Firmware1.71.5
SupermicroX11dpg-Sn Firmware1.71.5
SupermicroX11dpg-Qt Firmware1.71.5
SupermicroX11dpg-Ot-Cpu Firmware1.71.5
SupermicroX11dpi-Nt Firmware1.71.5
SupermicroX11dpi-N Firmware1.71.5
SupermicroX11dpl-I Firmware1.71.5
SupermicroX11dpx-T Firmware1.71.5
SupermicroX11dgo-T Firmware1.71.5
SupermicroX11sca Firmware1.71.5
SupermicroX11sca-F Firmware1.71.5
SupermicroX11sch-F Firmware1.23.2
SupermicroX11sch-Ln4f Firmware1.23.2
SupermicroX11sca-W Firmware1.71.5
SupermicroX11scl-F Firmware1.23.2
SupermicroX11scl-Ln4f Firmware1.23.2
SupermicroX11scl-If Firmware1.23.2
SupermicroX11scm-F Firmware1.23.2
SupermicroX11scm-Ln8f Firmware1.23.2
SupermicroX11scw-F Firmware3.75.00
SupermicroX11spa-T Firmware1.71.5
SupermicroX11spa-Tf Firmware1.71.5
SupermicroX11spi-Tf Firmware1.71.6
SupermicroX11spl-F Firmware1.71.6
SupermicroX11spm-F Firmware1.71.6

Showing 50 of 264 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-16650?
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the server managed by the BMC.
How severe is CVE-2019-16650?
CVE-2019-16650 has a CVSS score of 10/10 (CRITICAL severity). The EPSS model estimates a 2.16% probability of exploitation in the next 30 days.
How do I fix CVE-2019-16650?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-16650?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST