メインコンテンツに移動
BIOS Vulnerabilities, September 2024

Supermicro is aware of two potential vulnerabilities in the BIOS firmware. These vulnerabilities may allow an attacker to write to SMRAM and hijack the RIP/EIP. They affect Supermicro BIOS for the Denverton platform.

Acknowledgement:

Supermicro would like to acknowledge the work done by a researcher from China, Eason, for discovering potential vulnerabilities in the Supermicro BIOS Firmware.

CVEs:

CVE NumberDescription
Improper conditions check in Intel BIOS platform sample code for some Intel(R) Processors before may allow a privileged user to potentially enable escalation of privilege via local access. An attacker with privileged access can use this vulnerability to write to SMRAM and hijack the RIP/EIP.
An attacker with privileged access can exploit this vulnerability to write to SMRAM and hijack the RIP/EIP; and therefore, can execute arbitrary code in SMM mode. This can allow the attacker to leak the content stored in SMRAM to kernel space.

Affected Products:

Product/MotherboardBIOS Version Containing Fix
A2SDi-H-T(P4)Fv 2.1
A2SDi-HLN4Fv 2.1
A2SDi-TP8F/LN4Fv 2.1
A2SDV-LN8F/LN10PFv 2.1
A2SDV-TLN5Fv 2.1
A2SD1-3750F/3955Fv 2.1

Mitigation:

Supermicro has released BIOS firmware to mitigate these vulnerabilities. Please check the release notes for resolution.

Exploitation and Public Announcement:

Supermicro is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.