Pasar al contenido principal
Shell injection in the SMTP notifications

Vulnerability Disclosure:

The purpose of this vulnerability disclosure is to communicate the potential vulnerability affecting Supermicro products that was reported by an external researcher.

Acknowledgment:

Supermicro would like to acknowledge the work done by the researcher from Germany for discovering a potential vulnerability in the H12SSL-NT motherboard.

Findings:

Vulnerability in the select supermicro boards may affect SMTP notification configurations. The vulnerability may allow unauthenticated bad actors to control user inputs such as the subject in the alert settings which may lead to an arbitrary execution of code.

CVE:

  • CVE-2023-35861
  • Severity: High

Affected products:

Supermicro BMC in select X12, X13, and H12, H13 motherboards.

Solution:

  • All affected Supermicro motherboard SKUs will require a BMC update to mitigate this potential vulnerability.
  • An updated BMC firmware had been created to mitigate this potential vulnerability. Supermicro is currently testing and validating affected products. Please check Release Notes for the resolution.

Resources: