Skip to main content
AMD Security Bulletin AMD-SB-4007, May 2024

Vulnerability Disclosure:

Supermicro is aware of the Memory leak vulnerabilities in AMD DXE driver in Server and Client desktop and mobile APUs/CPUs may allow a highly privileged user to obtain sensitive information. This issue affects AMD EPYC™ 3rd Gen Processors.

CVE:

  • CVE-2023-20594
    • Severity: Medium
  • CVE-2023-20597
    • Severity: Medium

Findings:

Memory leak vulnerabilities in AMD DXE driver in Server and Client desktop and mobile APUs/CPUs may allow a highly privileged user to obtain sensitive information. These potential vulnerabilities in the Drive Execution Environment (DXE) driver that may allow an attacker to dump stack memory or global memory into an NVRAM variable. This may result in a denial-of-service or information disclosure.

Affected products:

Supermicro BIOS in the server H12 motherboards and H13 and M12 client boards.

Server Motherboards:
AMD Motherboard GenerationBIOS Version with the fix
H12 - Milanv 2.8
Client Products:
AMD Client MotherboardBIOS Version with the fix
H13SRD-Fv 1.2
H13SRE-Fv 1.0
H13SAE-MFv 2.0a
M12SWA-TFv 2.2

Remediation:

  • All affected Supermicro motherboard SKUs will require a BIOS update to mitigate this potential vulnerability.
  • An updated BIOS firmware had been created to mitigate this potential vulnerability. Supermicro is currently testing and validating affected products. Please check Release Notes for the resolution.