Headline
CVE-2023-34853: Variable Modification Due to Stack Overflow | Supermicro
Buffer Overflow vulnerability in Supermicro motherboard X12DPG-QR 1.4b allows local attackers to hijack control flow via manipulation of SmcSecurityEraseSetupVar variable.
Variable Modification Due to Stack Overflow
Vulnerability Disclosure:
The purpose of this vulnerability disclosure is to communicate the potential vulnerability affecting Supermicro products that was reported by an external researcher.
Acknowledgement:
Supermicro would like to acknowledge the work done by the researcher from Wuhan University, China for discovering a potential vulnerability in the X12DPG-QR motherboard.
Findings:
Possible stack overflow occurrence in the BIOS firmware may allow an attacker to exploit this vulnerability by manipulating a variable to potentially hijack the control flow, allowing attackers with the kernel level privileges to escalate their privileges and potentially leading to the execution of arbitrary code.
CVE:
- CVE-2023-34853
- Severity: High
Affected products:
Supermicro BIOS in X11, X12, X13, and H11, H12, H13 motherboards.
Solution:
All affected Supermicro motherboard SKUs will require a BIOS update to mitigate this potential vulnerability.
An updated BIOS firmware had been created to mitigate this potential vulnerability. Supermicro is currently testing and validating affected products. Please check Release Notes for the resolution.