Vulnerability Disclosure:
Supermicro is aware of the security issue where it may be possible to modify serial presence detect (SPD) metadata to make an attached memory module appear larger than it is, which may produce memory address aliasing. This issue affects AMD EPYC™ 3rd and 4th Gen Processors.
CVE:
- CVE-2024-21944
- Severity: Medium
Findings:
This security vulnerability undermines the integrity of features of Secure Encrypted Virtualization Secure Nested Paging (SEV-SNP). An attacker may modify serial presence detect (SPD) metadata to make a memory module appear larger than it is. By doubling the reported size of a memory module, two different system-physical addresses, as seen by the host, may alias to the same underlying DRAM location. This could allow an attacker to overwrite and corrupt system memory, potentially bypassing protections offered by SEV-SNP. The researchers demonstrate a method of exploiting this attack that requires physical access to the dual in-line memory modules (DIMMs) but believe the attack could also be executed without physical access if DIMM does not lock SPD.
Affected products:
Supermicro BIOS in the server H12 and H13 motherboards.
| AMD Motherboard Generation | BIOS Version with the fix |
|---|---|
| H12 - Milan | v 3.0 |
| H13 - Genoa | v 3.1 |
| H13VW-NT - Siena | v 1.3 |
Remediation:
- All affected Supermicro motherboard SKUs will require a BIOS update to mitigate this potential vulnerability.
- An updated BIOS firmware had been created to mitigate this potential vulnerability. Supermicro is currently testing and validating affected products. Please check Release Notes for the resolution.