CVE-2022-43309

Vulnerability

The Supermicro X11SSL-CF hardware revision 1.01 with BMC firmware version v1.63 contains insecure permissions on the Board Management Controller (BMC) Inter-Integrated Circuit (I²C) bus [1]. This vulnerability affects the X11, X12, H11, and H12 product lines that have the Intelligent Platform Management Interface (IPMI) [1]. The insecure permissions allow unauthorized I²C commands to be sent, potentially altering the CPU voltage outside its specified operating range [1].

Exploitation

An attacker with network access to the BMC (e.g., via IPMI) can exploit the insecure permissions to send arbitrary I²C commands to the voltage regulator module [1]. No authentication or user interaction beyond BMC access is required. The attacker can then modify the CPU voltage settings, causing undervolting or overvolting conditions [1].

Impact

Successful exploitation allows the attacker to change the CPU voltage to values outside the intended operating range [1]. This can lead to incorrect computations, system instability, or denial of service. The impact is limited to affecting normal CPU operations; no code execution or data exfiltration is described in the available references.

Mitigation

Supermicro has acknowledged the vulnerability and is developing signed BMC firmware updates for all affected motherboard SKUs [1]. As of the advisory date (January 2023), the firmware was still being tested and validated; no specific fixed version has been released [1]. Users should monitor Supermicro's security page for updates and apply the firmware update once available. No workaround is provided. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.