Details regarding a microprocessor vulnerability that could impact Supermicro systems has been announced and requires a microcode update of the system BIOS along with an operating system update. Commonly referred to as Meltdown and Spectre the vulnerability involves malicious code utilizing a new method of side-channel analysis and running locally on a normally operating platform has the potential to allow the inference of data values from memory.
To address the issue systems may require both an Operating System update and a BIOS update. Please check with operating system or VM vendors for related information.
- Intel Advisory (Intel-SA-00088)
- AMD Advisory
- NVD CVE-2017-5715
- NVD CVE-2017-5754
- NVD CVE-2017-5753
UPDATE (August 14, 2018):
On August 14th Intel released information about a new side-channel security issue referred to as
- L1 Terminal Fault (L1TF)
- L1 Terminal Fault –SGX (CVE-2018-3615)
- L1 Terminal Fault -OS, SMM (CVE-2018-3620)
- L1 Terminal Fault –VMM (CVE-2018-3646)
Based on the information provided by Intel no new update of the Supermicro BIOS or Firmware is required at this time, "Fault is addressed by microcode updates released earlier this year". Please check the tables below which indicate the BIOS version with the most up to date fixes for the Spectre and Meltdown issues. These updates which were released earlier this year contain the necessary fixes for these new issues identified by Intel.
UPDATE (June 8, 2018):
A 3rd party security firm who has been testing the BIOS/Firmware security of our systems. They recently published the results of that effort and we have introduced fixes to the issues raised in the blog.
There are three different security areas identified in the blog.
- Read/Write versus Read Only Firmware/Flash Descriptor Table
This issue does not affect the latest generation of X11 or earlier generation X9 products, but X10 products are impacted. We do not believe this issue will impact any customers data, but could make the system non-operational.
For the effected platforms we will be rolling out the fix along w/ the latest Spectre/Meltdown (Intel-SA-00115) firmware update. These combined updates will be rolling out over the next few weeks. Please check the status of individual updates below. We are combining this update with the fix for latest fix for the Spectre/Meltdown BIOS to minimize the number of reboots and BIOS updates required.
- The two other issues raised in the article are new security features (cryptographically signing the BIOS and limiting BIOS downgrades in cases of a critical security patch). We are already shipping these features for some customers and for all new platforms moving forward these features are enabled.
Due to issues of backward compatibility, we are making the upgrade to these new features optional for existing systems. For customers with existing platforms please contact your sales representative or associated product manager to determine if upgrading the features for software signing and limited rollbacks on your existing systems is appropriate. A new BIOS with these features enabled will be required. Availability of the BIOS will be based on demand.
BIOS and Firmware security has become a growing challenge for the industry. We highly recommend customers update BIOS and Firmware on their systems on a regular basis as these new vulnerabilities are addressed.
UPDATE (May 21, 2018):
On May 21st 2018 Intel announced additional microcode updates will be released (Intel-SA-00115). These new updates will include enhancements to address these potential security vulnerabilities.
- CVE-2018-3639 7.1 High CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
- CVE-2018-3640 4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
When Intel releases the microcode we will productize, test and release new BIOS. Please refer to the comment column in the tables below regarding version and status for these additional BIOS updates.
For AMD systems, refer to the H11 & H8 tab below.
We will update this web page with BIOS updates when they become available.
Dual & Single Processor H11 Systems (top)
Dual, Single & Multi-Processor H8 Motherboards (top)
||Immune to Intel-SA-00115