CVE-2024-10239
Published: 04 February 2025
Description
A security issue in the firmware image verification implementation at Supermicro MBD-X12DPG-OA6 . An attacker with administrator privileges can upload a specially crafted image, which can cause a stack overflow due to the unchecked fat->fsd.max_fld.
Security Summary
CVE-2024-10239 is a stack-based buffer overflow vulnerability (CWE-121) in the firmware image verification implementation on Supermicro MBD-X12DPG-OA6 motherboards. The issue arises from an unchecked fat->fsd.max_fld value, allowing malformed firmware images to trigger the overflow during verification. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity with potential for significant impact.
An attacker with administrator privileges (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required. By uploading a specially crafted firmware image, the attacker triggers the stack overflow, potentially achieving full confidentiality, integrity, and availability compromise (C:H/I:H/A:H) on the affected system in an unchanged scope (S:U).
Supermicro has issued a security advisory with mitigation guidance and patch information available at https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2025. Security practitioners should consult this resource for firmware updates and apply them promptly to affected MBD-X12DPG-OA6 systems.
Details
- CWE(s)