Vulnerability Disclosure:
The purpose of this disclosure is to communicate the potential vulnerabilities affecting Supermicro products that were reported by an external researcher.
Acknowledgement:
Supermicro would like to acknowledge the work done by Alexander Tereshkin, NVIDIA Offensive Security Research Team for discovering potential vulnerability in Supermicro BMC IPMI Firmware.
Summary:
A security issue has been discovered in select Supermicro motherboards. This issue affects the web server component of their BMC.
| CVE ID | Severity | Description |
|---|---|---|
| CVE-2024-36435 | Critical | This potential vulnerability in Supermicro BMC may come from a buffer overflow in the “GetValue” function of the firmware that is caused by a lack of checking the input value. An unauthenticated user can post specially crafted data to the interface, which will trigger a stack buffer overflow and may lead to arbitrary remote code execution on a BMC. |
Affected products:
Supermicro BMC firmware in select X11, X12, H12, B12, X13, H13, and B13 motherboards (and CMM6 modules).
Remediation:
All affected Supermicro motherboard SKUs will require a BMC update to mitigate these potential vulnerabilities.
Updated BMC firmware have been created to mitigate these potential vulnerabilities. Supermicro is currently testing and validating affected products. Please check release notes for the resolution.
As an immediate workaround to reduce the attack surface, it is advised to follow the BMC Configuration Best Practices Guide and configure session timeout.
Exploitation and Public Announcements:
Supermicro is not aware of any malicious use of these vulnerabilities in the wild.