BIOS Vulnerabilities, September 2024
Supermicro is aware of two potential vulnerabilities in the BIOS firmware. These vulnerabilities may allow an attacker to write to SMRAM and hijack the RIP/EIP. They affect Supermicro BIOS for the Denverton platform.
Acknowledgement:
Supermicro would like to acknowledge the work done by a researcher from China, Eason, for discovering potential vulnerabilities in the Supermicro BIOS Firmware.
CVEs:
| CVE Number | Description |
|---|---|
| Improper conditions check in Intel BIOS platform sample code for some Intel(R) Processors before may allow a privileged user to potentially enable escalation of privilege via local access. An attacker with privileged access can use this vulnerability to write to SMRAM and hijack the RIP/EIP. | |
| An attacker with privileged access can exploit this vulnerability to write to SMRAM and hijack the RIP/EIP; and therefore, can execute arbitrary code in SMM mode. This can allow the attacker to leak the content stored in SMRAM to kernel space. |
Affected Products:
| Product/Motherboard | BIOS Version Containing Fix |
|---|---|
| A2SDi-H-T(P4)F | v 2.1 |
| A2SDi-HLN4F | v 2.1 |
| A2SDi-TP8F/LN4F | v 2.1 |
| A2SDV-LN8F/LN10PF | v 2.1 |
| A2SDV-TLN5F | v 2.1 |
| A2SD1-3750F/3955F | v 2.1 |
Mitigation:
Supermicro has released BIOS firmware to mitigate these vulnerabilities. Please check the release notes for resolution.
Exploitation and Public Announcement:
Supermicro is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.