Statement & Response Plan for Vertiv BMC Firmware Vulnerabilities

CVE-2019-6260, CVE-2018-9086
Jul 22, 2019
Updated: August 12th 2019
Vulnerabilities:
  1. CVE-2019-6260 (Allows arbitrary access to the BMC from the host)
  2. CVE-2018-9086 (Remote update command injection vulnerability)
  3. No cryptographic signature verification for update process
Affected Products: All GIGABYTE server products that use an ASPEED AST2300, AST2400 or AST2500 BMC or AST1250 CMC together with Vertiv Avocent MergePoint EMS Firmware

Dear Valued Customers & Partners,

GIGABYTE is aware that recently there have been several security vulnerabilities discovered with the Avocent MergePoint EMS platform published by Vertiv and used as firmware for GIGABYTE’s server products with an Aspeed AST2300, AST2400 or AST2500 BMC or AST1250 CMC (as covered by US cyber security research organization Eclypsium in their blog post here):

  1. CVE-2019-6260: the ASPEED AST2400 and AST2500 Baseband Management Controller (BMC) hardware and firmware implement Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC's physical address space from the host.
  2. CVE-2018-9086: a command injection vulnerability exists in the BMC firmware download command. This allows a privileged user to download and execute arbitrary code inside the BMC. This can only be exploited by authorized privileged users.
  3. Cryptographic Verification: the BMC firmware update process for Avocent MergePoint EMS does not perform cryptographic signature verification before accepting updates and writing the contents to SPI flash.

GIGABYTE has issued updated firmware versions (available to download from each product page) with patches to deal with the following vulnerabilities:

    • For GIGABYTE products using an ASPEED AST2500, updated Vertiv firmware version 1.84 with patch for vulnerabilities CVE-2019-6260 and CVE-2018-9086 was released on May 7th 2019
    • For GIGABYTE products using an ASPEED AST2400, updated Vertiv firmware version 8.83_4.83 with patch for vulnerability CVE-2019-6260 has been released on July 22nd, 2019
    • For GIGABYTE products using an ASPEED AST1250 CMC, updated Vertiv firmware version 1.33 with patch for vulnerability CVE-2018-9086 has been released on July 22nd, 2019

GIGABYTE is working rapidly to issue Vertiv firmware updates to mitigate remaining vulnerabilities that have not been resolved with the three updates mentioned above. Please find our current firmware availability / update schedule below (an updated notice in case there is any update or delay to this schedule):

VulnerabilityAST2500AST2400AST1250 CMCAST2400 ARMAST2300
CVE-2019-6260 Available
Patched Version: 1.84
Current Version: 1.91
Available
Patched Version: 8.83_4.83
Current Version: 8.86_4.86
N/A* Available
Patched Version: 771_371
Current Version: 772_372
Available
Patched / Current Version: 2.43
CVE-2018-9086 Available
Patched Version: 1.84
Current Version: 1.91
Available
Patched Version: 8.85_4.85
Current Version: 8.86_4.86
Available
Patched Version: 1.33
Current Version: 1.34
Available
Patched Version: 771_371
Current Version: 772_372
Available
Patched / Current Version: 2.43
Cryptographic Signature Firmware Support Available
Patched / Current Version: 1.91
Available
Patched / Current Version: 8.86_4.86
Available
Patched / Current Version: 1.34
Available
Patched / Current Version: 772_372
Available
Patched / Current Version: 2.43

* AST1250 CMC does not support host access function

Furthermore, GIGABYTE has officially announced End of Support (EOS) for Avocent MergePoint EMS. Support will be provided until March 27th, 2020. For customers using all GIGABYTE server products with an ASPEED AST2500 BMC, it is recommended instead they switch over to our new AMI MegaRAC SP-X firmware solution. For further information on the EOS of Vertiv firmware and instructions about how to change to AMI, please see here: https://www.gigabyte.com/Press/News/1700

For more information or assistance, please check with your GIGABYTE sales representative, or create a new support ticket at https://esupport.gigabyte.com