Pasar al contenido principal
BIOS Vulnerabilities, July 2024

Vulnerability Disclosure:

The purpose of this disclosure is to communicate the potential vulnerabilities affecting Supermicro products that were reported by an external researcher.

Acknowledgement:

Supermicro would like to acknowledge the work done by a researcher from China, Eason and vul_pwner, for discovering potential vulnerabilities in the Supermicro BIOS Firmware.

Findings:

Supermicro is aware of the following potential vulnerabilities in the BIOS firmware. Improper input validation in the Supermicro BIOS may allow arbitrary memory write which can be potentially exploited.

CVEs and Affected products:

CVE IDCVSS ScoreVulnerability typeAffected motherboardsBIOS version with fix
CVE-2024-36433High (7.5)Arbitrary memory write
  • X11DPH-T
  • X11DPH-Tq
  • X11DPH-i
v 4.4
CVE-2024-36434High (7.5)SMM callout
  • X11DPH-T
  • X11DPH-Tq
  • X11DPH-i
v 4.4
CVE-2024-36432High (7.5)Arbitrary memory write
  • X11DPG-HGX2
  • X11PDG-QT
  • X11PDG-OT
  • X11PDG-SN
v 4.4

Mitigation:

Supermicro has created a fix to mitigate these potential vulnerabilities. Affected motherboards are being validated. Please check the release notes for resolution.

Exploitation and Public Announcement:

Supermicro is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.