Supermicro Motherboards Vulnerable to Critical RCE Flaw (CVE-2024-36435)

Supermicro Computer, a leading provider of server and motherboard solutions, has disclosed a critical security vulnerability (CVE-2024-36435) that could expose a wide range of its products to remote code execution attacks. The vulnerability, discovered by Alexander Tereshkin of NVIDIA’s Offensive Security Research Team, resides within the Baseboard Management Controller (BMC) web server component of certain Supermicro motherboards.

The root cause of the vulnerability lies in a buffer overflow condition within the BMC firmware’s “GetValue” function. This flaw, triggered by a lack of input validation, allows an unauthenticated attacker to send specially crafted data to the BMC interface, potentially leading to arbitrary code execution with the privileges of the BMC. The severity of this vulnerability is underscored by its CVSS score of 9.8, classifying it as critical.

To mitigate the risk of exploitation, Supermicro is urging customers to update their BMC firmware to the latest available versions. The company is actively testing and validating updated firmware for affected motherboards across the X11, X12, H12, B12, X13, H13, and B13 product lines (including CMM6 modules). Users should check the release notes of their specific motherboard models for the availability of patched firmware.

While awaiting firmware updates, Supermicro recommends following the BMC Configuration Best Practices Guide and configuring session timeouts to reduce the attack surface. This can help mitigate the risk of unauthorized access and exploitation.

Although Supermicro has not received any reports of the CVE-2024-36435 vulnerability being exploited in the wild, the potential for malicious use remains high. Administrators responsible for Supermicro servers and motherboards should treat this as a high-priority issue and implement the recommended mitigations without delay.