Shell injection in the SMTP notifications

Vulnerability Disclosure:

The purpose of this vulnerability disclosure is to communicate the potential vulnerability affecting Supermicro products that was reported by an external researcher.

Acknowledgment:

Supermicro would like to acknowledge the work done by the researcher from Germany for discovering a potential vulnerability in the H12SSL-NT motherboard.

Findings:

Vulnerability in the select supermicro boards may affect SMTP notification configurations. The vulnerability may allow unauthenticated bad actors to control user inputs such as the subject in the alert settings which may lead to an arbitrary execution of code.

CVE:

CVE-2023-35861
Severity: High

Affected products:

Supermicro BMC in select X12, X13, and H12, H13 motherboards.

Solution:

All affected Supermicro motherboard SKUs will require a BMC update to mitigate this potential vulnerability.
An updated BMC firmware had been created to mitigate this potential vulnerability. Supermicro is currently testing and validating affected products. Please check Release Notes for the resolution.

Resources:

CVE-2023-35861

Rackmount Servers

1U Dual Processor

2U Dual Processor

Single Processor

Multi Processor

Product Families

GPU Servers

8U GPU Lines

4U GPU Lines

2U GPU Lines

1U GPU Lines

Twin Servers

BigTwin®

GrandTwin®

TwinPro®

Twin

FatTwin®

Blade Servers

SuperBlade®

MicroBlade®

MicroCloud

Storage Servers

All Storage Systems

All-Flash NVMe

Top-Loading Storage

Enterprise-Optimized Storage

JBOD Storage Enclosures

Motherboards

Server Boards

Workstation Boards

Embedded / IoT Boards

Desktop / Gaming Boards

Previous Gen.

Motherboard Matrix

Global SKUs

Chassis

1U Chassis

2U Chassis

3U Chassis

4U / Tower Chassis

Mid / Mini-Tower

Embedded / IoT Chassis

Mobile Racks / Drive Kits

JBOD Storage Enclosures

Global SKUs

SuperRack®

Data Center Solution Engineering (DCSE)

Rack Integration Service

Accessories

Cable Matrix

Riser Card Matrix

Storage AOC Matrix

Power Supply Matrix

Heatsink Matrix

System Fan Matrix

Mobile Racks / Drive Kits

Front Chassis Bezels

Storage, I/O, Security

Edge & Telecom Servers

Fanless Edge Systems

Compact Edge Systems

Outdoor Edge Systems

1U Edge Network Systems

5G/Telecom Systems

Embedded Motherboards

Embedded Chassis

Switches

Adapters

SuperWorkstations

Liquid-Cooled AI Development Platform

Single-Processor

Dual-Processor

Supero™ Gaming Solutions

AI Infrastructure

NVIDIA Solutions

Intel Solutions

AMD Solutions

AI Storage

Edge AI

AI SuperCluster