AMD Security Bulletin AMD-SB-7027, February 2025
Vulnerability Disclosure:
Supermicro is aware of and is addressing two security vulnerabilities reported by Quarkslab within the AmdPspP2CmboxV2 and AmdCpmDisplayFeatureSMM UEFI modules supported on multiple AMD processors that could allow attackers to execute code within SMM (System Management Mode).
CVE:
- CVE-2024-0179
- Severity: High
- CVE-2024-21925
- Severity: High
Findings:
These vulnerabilities can allow a ring 0 attacker to escalate their privileges, potentially resulting in arbitrary code execution within SMM. AMD plans to release mitigations to address these vulnerabilities.
- CVE-2024-0179:
- Improper input validation in Satellite Management Controller (SMC) may allow an attacker with privileges to use certain special characters in manipulated Redfish® API commands, causing service processes like OpenBMC to crash and reset, potentially resulting in denial of service.
- CVE-2024-21925:
- SMM callout vulnerability within the AmdCpmDisplayFeatureSMM driver could allow locally authenticated attackers to overwrite SMRAM, potentially resulting in arbitrary code execution.
- CVE-2024-21925:
- Improper input validation within the AmdPspP2CmboxV2 driver may allow a privileged attacker to overwrite SMRAM, leading to arbitrary code execution.
Affected products:
Server:
| AMD Motherboard | BIOS Version with the fix |
|---|---|
| H11 – Naples/Rome | v 3.1 |
| H12 – Rome/Milan | v 3.1 |
| H13 – Genoa | v 3.1 |
| H13 – Siena | v 1.3 |
| H14 - Turin | v 1.1 |
| H13 MI300X (H13DSG-OM) | v 3.2 |
| AMD Server | GPU Firmware Bundle/BKC |
|---|---|
| H13 AS-8125GS-TNMR2 (H13DSG-OM) | v 24.12 |
Client:
| AMD Motherboard | BIOS version with the fix |
|---|---|
| M11SDV-4/8C(T)-LN4F | v 1.5 |
| M12SWA-TF | v 2.3 |
| H13SAE-MF | Not Affected |
| H13SRD-F | Not Affected |
| H13SRE-F | Not Affected |
| H13SRH | V 1.6 |
| H13SRA-F | v 1.6 |
| H13SRA-TF | v 1.6 |
Remediation:
- All affected Supermicro motherboard SKUs will require a BIOS update to mitigate this potential vulnerability.
- An updated BIOS firmware had been created to mitigate this potential vulnerability. Supermicro is currently testing and validating affected products. Please check Release Notes for the resolution.