Vulnerability Disclosure:
The purpose of this disclosure is to communicate the potential vulnerabilities affecting Supermicro products that were reported by an external researcher.
Acknowledgement:
Supermicro would like to acknowledge the work done by a researcher from China, Eason and vul_pwner, for discovering potential vulnerabilities in the Supermicro BIOS Firmware.
Findings:
Supermicro is aware of the following potential vulnerabilities in the BIOS firmware. Improper input validation in the Supermicro BIOS may allow arbitrary memory write which can be potentially exploited.
CVEs and Affected products:
| CVE ID | CVSS Score | Vulnerability type | Affected motherboards | BIOS version with fix |
|---|---|---|---|---|
| CVE-2024-36433 | High (7.5) | Arbitrary memory write |
| v 4.4 |
| CVE-2024-36434 | High (7.5) | SMM callout |
| v 4.4 |
| CVE-2024-36432 | High (7.5) | Arbitrary memory write |
| v 4.4 |
Mitigation:
Supermicro has created a fix to mitigate these potential vulnerabilities. Affected motherboards are being validated. Please check the release notes for resolution.
Exploitation and Public Announcement:
Supermicro is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.