Supermicro has fixed the security vulnerability issue known as “PKFAIL”. This new vulnerability may allow malicious actors to launch advanced firmware-level threats from an operating system. It was determined that some Supermicro products used insecure Platform Keys (PK) which represent the Root of Trust for BIOS. These insecure keys were generated by American Megatrends International (AMI), and they were supplied as a reference example to Supermicro.
Affected products timeline:
- 2017 and prior: All BIOS firmware that was released prior to 2017 is affected. All products with this firmware have reached the end of life (e.g. have been EOL’ed).
- 2017 to December 2023: BIOS firmware that was released between 2017 and 2024 may be affected. Most of BIOS Firmware has been fixed, but due to human error, a few instances may still be affected.
- 2024: Any BIOS firmware released in 2024 already has the fix.
Conclusion and Suggestions:
All current BIOS firmware versions have the fix in place. If you are using BIOS firmware that was released between 2017 and December 2023, it is recommended that you upgrade to the latest level of BIOS firmware. If the BIOS version used in the customer environment is released before December 2023/January 2024, please reach out to the technical support team at Supermicro to verify the impact of your BIOS version.