CVE-2024-10238

CVE-2024-10238 is a stack-based buffer overflow vulnerability (CWE-121) in the firmware image verification implementation of the Supermicro MBD-X12DPG-OA6 motherboard. The issue arises from a failure to check the fld->used_bytes value, allowing a specially crafted firmware image to trigger the overflow. Published on February 4, 2025, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An attacker with high privileges (PR:H), such as an administrator with access to the system's firmware update mechanisms, can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). By uploading a maliciously crafted firmware image, the attacker can trigger the stack overflow, potentially achieving high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) within the unchanged scope (S:U), such as arbitrary code execution or full system compromise on the affected Supermicro motherboard.

Supermicro has published a security advisory addressing this and related BMC/IPMI issues, available at https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2025, which likely includes firmware updates or patches for mitigation. Security practitioners should apply these updates promptly to affected systems.