Skip to main content
AMD Security Bulletin AMD-SB-3015, December 2024

Vulnerability Disclosure:

Supermicro is aware of the security issue where it may be possible to modify serial presence detect (SPD) metadata to make an attached memory module appear larger than it is, which may produce memory address aliasing. This issue affects AMD EPYC™ 3rd and 4th Gen Processors.

CVE:

  • CVE-2024-21944
    • Severity: Medium

Findings:

This security vulnerability undermines the integrity of features of Secure Encrypted Virtualization Secure Nested Paging (SEV-SNP). An attacker may modify serial presence detect (SPD) metadata to make a memory module appear larger than it is. By doubling the reported size of a memory module, two different system-physical addresses, as seen by the host, may alias to the same underlying DRAM location. This could allow an attacker to overwrite and corrupt system memory, potentially bypassing protections offered by SEV-SNP. The researchers demonstrate a method of exploiting this attack that requires physical access to the dual in-line memory modules (DIMMs) but believe the attack could also be executed without physical access if DIMM does not lock SPD.

Affected products:

Supermicro BIOS in the server H12 and H13 motherboards.

AMD Motherboard GenerationBIOS Version with the fix
H12 - Milanv 3.0
H13 - Genoav 3.1
H13VW-NT - Sienav 1.3

Remediation:

  • All affected Supermicro motherboard SKUs will require a BIOS update to mitigate this potential vulnerability.
  • An updated BIOS firmware had been created to mitigate this potential vulnerability. Supermicro is currently testing and validating affected products. Please check Release Notes for the resolution.