AMD Security Bulletin AMD-SB-7027, February 2025

Vulnerability Disclosure:

Supermicro is aware of and is addressing two security vulnerabilities reported by Quarkslab within the AmdPspP2CmboxV2 and AmdCpmDisplayFeatureSMM UEFI modules supported on multiple AMD processors that could allow attackers to execute code within SMM (System Management Mode).

CVE:

CVE-2024-0179
- Severity: High
CVE-2024-21925
- Severity: High

Findings:

These vulnerabilities can allow a ring 0 attacker to escalate their privileges, potentially resulting in arbitrary code execution within SMM. AMD plans to release mitigations to address these vulnerabilities.

CVE-2024-0179:: Improper input validation in Satellite Management Controller (SMC) may allow an attacker with privileges to use certain special characters in manipulated Redfish® API commands, causing service processes like OpenBMC to crash and reset, potentially resulting in denial of service.
CVE-2024-21925:: SMM callout vulnerability within the AmdCpmDisplayFeatureSMM driver could allow locally authenticated attackers to overwrite SMRAM, potentially resulting in arbitrary code execution.
CVE-2024-21925:: Improper input validation within the AmdPspP2CmboxV2 driver may allow a privileged attacker to overwrite SMRAM, leading to arbitrary code execution.

Affected products:

Server:

AMD Motherboard	BIOS Version with the fix
H11 – Naples/Rome	v 3.1
H12 – Rome/Milan	v 3.1
H13 – Genoa	v 3.1
H13 – Siena	v 1.3
H14 - Turin	v 1.1
H13 MI300X (H13DSG-OM)	v 3.2

AMD Server	GPU Firmware Bundle/BKC
H13 AS-8125GS-TNMR2 (H13DSG-OM)	v 24.12

Client:

AMD Motherboard	BIOS version with the fix
M11SDV-4/8C(T)-LN4F	v 1.5
M12SWA-TF	v 2.3
H13SAE-MF	Not Affected
H13SRD-F	Not Affected
H13SRE-F	Not Affected
H13SRH	V 1.6
H13SRA-F	v 1.6
H13SRA-TF	v 1.6

Remediation:

All affected Supermicro motherboard SKUs will require a BIOS update to mitigate this potential vulnerability.
An updated BIOS firmware had been created to mitigate this potential vulnerability. Supermicro is currently testing and validating affected products. Please check Release Notes for the resolution.

Resources:

AMD Security Notice AMD-SN-7027
- CVE-2024-0179
- CVE-2024-21925

Rackmount Servers

1U Dual Processor

2U Dual Processor

Single Processor

Multi Processor

Product Families

GPU Servers

8U/10U GPU Lines

4U GPU Lines

2U GPU Lines

1U GPU Lines

Twin Servers

FlexTwin™

BigTwin®

GrandTwin®

TwinPro®

Twin

FatTwin®

Blade Servers

SuperBlade®

MicroBlade®

MicroCloud

Storage Servers

All Storage Systems

All-Flash NVMe

Top-Loading Storage

JBOF

Enterprise-Optimized Storage

JBOD Storage Enclosures

Motherboards

Server Boards

Workstation Boards

Embedded / IoT Boards

Desktop / Gaming Boards

Previous Gen.

Motherboard Matrix

Global SKUs

Chassis

1U Chassis

2U Chassis

3U Chassis

4U / Tower Chassis

Mid / Mini-Tower

Embedded / IoT Chassis

Mobile Racks / Drive Kits

JBOD Storage Enclosures

Global SKUs

SuperRack®

Data Center Solution Engineering (DCSE)

Rack Integration Service

Accessories

Cable Matrix

Riser Card Matrix

Storage AOC Matrix

Power Supply Matrix

Heatsink Matrix

System Fan Matrix

Mobile Racks / Drive Kits

Front Chassis Bezels

Storage, I/O, Security

Edge & Telecom Servers

Fanless Edge Systems

Compact Edge Systems

Edge GPU Systems

Outdoor Edge Systems

1U Edge Network Systems

5G/Telecom Systems

Embedded Components

Embedded Motherboards

Embedded Chassis

Switches

Adapters

SuperWorkstations

Liquid-Cooled AI Development Platform

Single-Processor

Dual-Processor

Supero™ Gaming Solutions

AI Infrastructure

AI SuperCluster

Enterprise AI