CVE-2023-35861 Overview
CVE-2023-35861 is a critical shell-injection vulnerability affecting the email notification functionality in the Baseboard Management Controller (BMC) firmware of numerous Supermicro motherboards. This vulnerability allows remote attackers to inject and execute arbitrary commands with root privileges on the BMC, providing complete control over the server management interface.
The vulnerability exists in how the BMC processes email notification parameters, failing to properly sanitize user-supplied input before passing it to shell commands. Since BMC controllers operate independently of the main operating system and provide out-of-band management capabilities, successful exploitation could allow attackers to maintain persistent access to server infrastructure even after OS reinstallation.
Critical Impact
Remote attackers can execute arbitrary commands as root on the BMC, enabling full server management control, persistent backdoor access, and potential lateral movement across data center infrastructure.
Affected Products
- Supermicro H12DST-B (firmware versions before 03.10.35)
- Supermicro X13 Series Motherboards (X13DAI-T, X13DDW-A, X13DEG series, X13DEI series, X13SAE series, X13SAN series, and others)
- Supermicro X12 Series Motherboards (X12DAI-N6, X12DDW-A6, X12DPG series, X12DPI series, X12SPL series, and others)
- Supermicro H13 Series Motherboards (H13DSG-O-CPU, H13DSH, H13SAE-MF, H13SSL series, and others)
- Supermicro H12 Series Motherboards (H12SSW series, H12SSL series, H12DSG series, H12DGO-6, and others)
Discovery Timeline
- July 31, 2023 - CVE-2023-35861 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-35861
Vulnerability Analysis
This command injection vulnerability resides in the email notification subsystem of Supermicro BMC firmware. The BMC (Baseboard Management Controller) is an embedded microcontroller that provides remote server management capabilities, including power control, hardware monitoring, and alert notifications. The email notification feature allows administrators to receive alerts about system events.
The vulnerability occurs because the BMC firmware fails to properly sanitize user-controlled input fields before incorporating them into shell commands. When processing email notification configuration or triggering alert emails, the system constructs command strings using unsanitized parameters, allowing attackers to inject shell metacharacters and additional commands.
Since the BMC operates with root privileges and functions independently of the host operating system, successful exploitation grants attackers complete control over the management plane. This enables activities such as modifying BIOS/UEFI settings, accessing virtual media, cycling power, and monitoring hardware sensors—all without detection by host-based security solutions.
Root Cause
The root cause is improper input validation (CWE-78: Improper Neutralization of Special Elements used in an OS Command) in the email notification functionality. User-supplied input is directly concatenated into shell command strings without sanitization, allowing shell metacharacters such as semicolons, backticks, or pipe operators to break out of the intended command context and execute arbitrary commands.
Attack Vector
The attack can be carried out remotely over the network by any attacker with access to the BMC web interface or API. The vulnerability requires no authentication in some configurations, or can be exploited by any authenticated user regardless of privilege level. An attacker crafts malicious input containing shell metacharacters and embedded commands within email configuration parameters or notification trigger requests.
The BMC's isolated nature means exploitation occurs entirely within the management controller, bypassing host-based security tools. Attackers can leverage root access on the BMC to establish persistent backdoors, intercept IPMI traffic, manipulate firmware, or pivot to other systems on the management network.
Detection Methods for CVE-2023-35861
Indicators of Compromise
- Unusual outbound connections from BMC IP addresses to external command-and-control servers
- Modified email notification settings with suspicious characters or encoded payloads in configuration fields
- Unexpected processes or shell activity in BMC system logs
- New user accounts or SSH keys added to the BMC
- Changes to BMC firmware or configuration files outside of authorized maintenance windows
Detection Strategies
- Monitor BMC event logs for unusual SMTP configuration changes or authentication failures
- Implement network segmentation and monitor traffic between the management network and untrusted networks
- Deploy network intrusion detection signatures for common shell injection patterns in HTTP requests to BMC interfaces
- Audit BMC configurations regularly for unauthorized modifications to email settings
Monitoring Recommendations
- Enable comprehensive logging on BMC interfaces and forward logs to a centralized SIEM
- Monitor for unusual network traffic patterns from management network segments
- Implement alerting for BMC firmware version changes or configuration modifications
- Conduct periodic vulnerability scans of BMC interfaces from the management network
How to Mitigate CVE-2023-35861
Immediate Actions Required
- Update affected Supermicro motherboard BMC firmware to the latest patched version immediately
- Restrict network access to BMC interfaces using firewall rules and VLAN segmentation
- Disable email notifications if not required until firmware is updated
- Audit BMC configurations for signs of prior compromise
- Review and strengthen BMC authentication credentials
Patch Information
Supermicro has released firmware updates addressing this vulnerability. For the H12DST-B, version 03.10.35 and later contain the fix. Organizations should consult the Supermicro Security Advisory for specific firmware versions and download links for all affected motherboard models. Additional technical analysis is available in the Freax13 CVE-2023-35861 Analysis.
Workarounds
- Isolate BMC management interfaces on a dedicated out-of-band management network with strict access controls
- Implement network-level access restrictions limiting BMC access to authorized administrator workstations only
- Disable the email notification feature in BMC settings until firmware can be updated
- Use jump hosts or bastion servers for all BMC administrative access
- Enable HTTPS and disable legacy HTTP access to BMC web interfaces
# Network isolation example using iptables on management server
# Restrict BMC access to specific admin subnet only
iptables -A INPUT -p tcp -s 10.0.100.0/24 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 10.0.100.0/24 --dport 623 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 623 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
