AMD Security Bulletin AMD-SB-6016, February 2025
Vulnerability Disclosure:
Supermicro is aware of and is addressing the security vulnerabilities in the Satellite Management Controller (SMC) in AMD Instinct™ MI300X Accelerators. These vulnerabilities could potentially cause denial of service and/or data corruption.
CVE:
- CVE-2024-21927
- Severity: Medium
- CVE-2024-21935
- Severity: Medium
- CVE-2024-21936
- Severity: High
Findings:
- CVE-2024-21927:
- Improper input validation in Satellite Management Controller (SMC) may allow an attacker with privileges to use certain special characters in manipulated Redfish® API commands, causing service processes like OpenBMC to crash and reset, potentially resulting in denial of service.
- CVE-2024-21935:
- Improper input validation in Satellite Management Controller (SMC) may allow an attacker with privileges to manipulate Redfish® API commands to remove files from the local root directory, potentially resulting in data corruption.
- CVE-2024-21936:
- Improper input validation in Satellite Management Controller (SMC) may allow an attacker with privileges to send multiple manipulated Redfish® API commands, causing service processes like OpenBMC to crash and reset, potentially resulting in denial of service.
Affected products:
| AMD Motherboard | BIOS Version with the fix |
|---|---|
| H13 MI300X (H13DSG-OM) | Not affected |
| AMD Server | GPU Firmware Bundle/BKC |
|---|---|
| H13 AS-8125GS-TNMR2 (H13DSG-OM) | v 24.12 |
Remediation:
- All affected Supermicro motherboard SKUs will require a GPU firmware update to mitigate this potential vulnerability.
- An updated GPU firmware has been created to mitigate this potential vulnerability. Supermicro is currently testing and validating affected products. Please check Release Notes for the resolution.