メインコンテンツに移動
LogoFAIL vulnerability, December 2023

Findings:

Supermicro is aware of a potential vulnerability known as “LogoFAIL” in the BIOS firmware. Improper input validation in an image parser library used by BIOS may allow a privileged user to potentially enable escalation of privilege via local access.

CVE:

  • CVE-2023-39538
    Severity: high
  • CVE-2023-39539
    Severity: high

Affected products:

X13-AlderLakeBIOS version with the fix
B4SA1-CPU3.1
X13SAE3.1
X13SAE-F3.1
X13SAN-H/-E/-L/-C3.1
X13SAQ3.1
X13SAV-LVDS3.1
X13SAV-PS3.1
X13SAZ-F3.1
X13SAZ-Q3.1
X13-FishHawk FallsBIOS version with the fix
X13SRA-TF2.0a
X13SWA-T(F)2.0a
X13-RaptorLakeBIOS version with the fix
X13SRN-H/-E/-WOHS3.1
X13-CatlowBIOS version with the fix
X13SCL-IF1.2
X13SCL-F1.2
X13SCH1.2
X13SCD-F1.2
X13SCW1.2
B4SC11.2
R12-ARM Altra (Max)BIOS version with the fix
R12SPD-A/-M1.2
R12SPD-R1.2
X12-TatlowBIOS version with the fix
X12STW1.8
X12STH1.8
X12STD1.8
X12STE1.8
X12STL-IF1.8
X12STL-F1.8
B3ST11.8
X12/C9-RocketlakeBIOS version with the fix
X12SAE-51.5a
X12SCA-5F1.5a
C9Z590-CG(W)1.5a
X12/C9-CometlakeBIOS version with the fix
X12SAE/X12SCA-F2.9
X12SCQ2.9
X12SCV-LVDS2.9a
X12SCV-W2.9a
X12SCZ-TLN4F/QF/F2.9a
C9Z490-PGW2.9a
X12-IdavilleBIOS version with the fix
X12SDV-SPT4F1.7
X12SDV-SP6F1.7
X12SDV-SPT8F1.7
B3SD1TBD
X12-TigerLakeBIOS version with the fix
X12STN1.5
X11-BakervilleBIOS version with the fix
B2SD22.1
X11SDC2.1
X11SDV-TLN2F2.1
X11SDV-TP8F2.1
X11SDW-TP13F2.1
X11SDW-TP13F+2.1
X11SDD1.4b
X11SDS1.4
X11-PurleyBIOS version with the fix
X11SPi-TF4.2
X11SPG-TF4.2
X11SPH-nCT(P)F4.2
X11SPL-F4.2
X11SPM-(T)F/TPF4.2
X11SPW-(C)TF4.2
X11DPi-N/NT/Ni4.2
X11DAi-N4.2
X11DGQ-R4.0
X11DPG-HGX2EOL
X11DPG-OT4.0
X11DPS-RE4.2
X11DAC4.2
X11DGO4.2
X11QPH+4.2
X11QPL4.2
X11OPi4.2
B11DPT4.2
B11DPE4.0
B11QPI/-T4.0
X11DPD-L/M254.2
X11DPG-QT (32MB)4.2
X11DPG-QT (64MB)4.2
X11DPL-i4.2
X11DPU4.2
X11DPU-V4.2
X11DPU-RTBD
X11DPX-T4.2
X11DSC+4.2
X11DDW-L/N(T)4.2
X11DPFF-SN4.2
X11DPFR-S(N)4.2
X11DPH-T(Q)(F)4.2
X11DPT-B4.2
X11DPT-PS4.2
X11DPU-Z+4.2
B11SPE4.2
X11-Greenlow_ServerBIOS version with the fix
X11SSD-F3.1
X11SSH-(C)TF3.1
X11SSH-(LN4)F3.1
X11SSL(-F)3.1
X11SSL-C/nF3.1
X11SSM(-F)3.1
X11SSW-(4)TF3.1
X11SSW-F3.1
X11SSA-F/X11SSi-LN4F3.1
X11SSE-F3.1
X11SSH-G(T)F-1585(L)1.8
X11SSV-M4F3.1
B2SS2-F3.1
B2SS2-CPU/-(C)F3.1
B2SS1/2(-H)-MTF1.8
X11-Greenlow_WorkstationBIOS version with the fix
X11SAE(-F)4.0
X11SAE-M4.0
X11SAT-F4.0
X11SSQ4.0
X11SSQ-L4.0
X11SSV-Q/LVDS4.0
X11SSZ-(Q)F/TLN4F4.0
X11-Whiskeylake-UBIOS version with the fix
X11SWN2.0
X11-BraswellBIOS version with the fix
X11SBA-LN4F/F1.2
X11-Mehlow_ServerBIOS version with the fix
X11SCW2.3
X11SCD2.3
X11SCM2.3
X11SCL-LN4F2.3
X11SCE2.3
X11SCH2.3
X11SCL-F2.3
X11SCL2.3
X11-Mehlow_WorkstationBIOS version with the fix
X11SCA-F2.3a
X11SCQ/L2.3
X11SCV-Q/L2.3
X11SCZ-F/Q2.3
B2SC11.5c
B2SC21.5c
B11SCG-CTF1.5c
B11SCG-ZTF1.5c
X11-BasinFallsBIOS version with the fix
X11SRM-F2.9
X11SRA/-(R)F2.9
C9X299-PG(F)/RPGF2.9
C9X299-PG3002.9
C9X299-PG300F2.9
B11SRE2.8
X11SRi-IF2.8
X11-Kabylake-UBIOS version with the fix
X11SSN-H/E/L2.2
A3-JacobsvilleBIOS version with the fix
A3SPI-4C/8C-LN6PF/HLN4F1.2
A3SSV-8C/16C/24C-SPLN10F1.2
A3-ElkHart LakeBIOS version with the fix
A3SEV1.5
A2-DenvertonBIOS version with the fix
A2SDi-H-T(P4)F1.9
A2SDi-HLN4F1.9
A2SDi-TP8F/LN4F1.9
A2SDV-LN8F/LN10PF1.9
A2SDV-TLN5F1.9
A2SD1-3750F/3955F1.9
A2-ApollolakeBIOS version with the fix
A2SAN-H/L/E & X11SAN2.0
A2SAN-LN4-E/C2.0
A2SAP-H/E/L2.0
A2SAP-L12.0
A2SAV(-L) & X11SAA2.0
H11-NaplesBIOS version with the fix
H11SSL-i/(N)C2.8
H11SSW-NT/iN2.8
H11DSU-I(N)2.8
H11DSI-(N)T2.8
H11DST-B2.8
H11-RomeBIOS version with the fix
H11SSL-i/(N)C1.4
H11SSW-NT/iN1.4
H11DSU-I(N)1.4
H11DSI-(N)T1.4
H11DST-B1.4
H12-Rome/MilanBIOS version with the fix
H12SSFF-AN62.9
H12DST-B2.9
H12SSG-ANP6TBD
H12DSI-N6/NT62.9
H12SSW-iN/NT2.9
H12DGO-62.9
H12DSG-O-CPUTBD
H12SSL-i/C/CT/NT2.9
H12DGQ-NT62.9
H12DSG-Q-CPU62.9
H12SSW-INR/NTR2.9
H12SSW-iNL/NTL2.9
H12SSW-AN62.9
H12SST-PS2.9
H12DSU-iN2.9
H12DSU-iNR2.9
H12SSG-AN62.9
H12SSFR-AN62.9
BH12SSi-M25TBD
H13-AM5BIOS version with the fix
H13SAE1.2
H13SRD1.2
M12-ChagalBIOS version with the fix
M12SWA2.2
M11-WallabyBIOS version with the fix
M11SDV-LN4F1.2

Mitigation:

All products that support Root of Trust (RoT) are not affected by this vulnerability.

Supermicro is currently working on updating BIOS firmware to mitigate this issue. Please check the release notes for resolution.

Exploitation and Public Announcement:

Supermicro is not aware of any public announcements or malicious use of these vulnerabilities that is described in this advisory.