AMD Security Bulletin AMD-SB-4007, May 2024
Vulnerability Disclosure:
Supermicro is aware of the Memory leak vulnerabilities in AMD DXE driver in Server and Client desktop and mobile APUs/CPUs may allow a highly privileged user to obtain sensitive information. This issue affects AMD EPYC™ 3rd Gen Processors.
CVE:
- CVE-2023-20594
- Severity: Medium
- CVE-2023-20597
- Severity: Medium
Findings:
Memory leak vulnerabilities in AMD DXE driver in Server and Client desktop and mobile APUs/CPUs may allow a highly privileged user to obtain sensitive information. These potential vulnerabilities in the Drive Execution Environment (DXE) driver that may allow an attacker to dump stack memory or global memory into an NVRAM variable. This may result in a denial-of-service or information disclosure.
Affected products:
Supermicro BIOS in the server H12 motherboards and H13 and M12 client boards.
| AMD Motherboard Generation | BIOS Version with the fix |
|---|---|
| H12 - Milan | v 2.8 |
| AMD Client Motherboard | BIOS Version with the fix |
|---|---|
| H13SRD-F | v 1.2 |
| H13SRE-F | v 1.0 |
| H13SAE-MF | v 2.0a |
| M12SWA-TF | v 2.2 |
Remediation:
- All affected Supermicro motherboard SKUs will require a BIOS update to mitigate this potential vulnerability.
- An updated BIOS firmware had been created to mitigate this potential vulnerability. Supermicro is currently testing and validating affected products. Please check Release Notes for the resolution.