"Firmware version SMT_X9_315 has reorganized the Web root, adding quite a few new CGI applications, removing many more, and generally purging the use of insecure functions like strcpy()," the researchers said. In addition, accessing most CGI applications now requires authentication, with the exception of vmstatus.cgi and login.cgi, they said.
However, the Rapid7 researchers identified new issues that could allow remote root access without authentication though many of the CGI applications and those issues have now also been reported to Supermicro.
"A cursory review of the new firmware shows significant improvements, but far more work is needed to provide a secure management console," the researchers said. "In the meantime, please treat the Supermicro IPMI web management interface the same way you would an unprotected root shell on the server it is attached to; disconnected from untrusted networks with access limited through another form of authentication (VPN, etc)."
According to the Rapid7 researchers, there are over 35,000 Supermicro IPMIs exposed to the Internet.