ASPEED AST2400 & AST2500 Security Vunerabilities (CVE-2019-6260)

CVE-2019-6260
Mar 26, 2019

Update 4th September 2019  – GIGABYTE has discovered an issue when customers using an older Linux Distributition update their BMC firmware to the new version containing the CVE-2019-6260 patch - the installation will fail.

Affected OS: Debian 8 / Redhat 7.3 / CentOS 6.9
Root Cause: Host access ASTSoC P2A (CVE-2019-6260 item 3) for standard VGA 2D driver
Solution: Add "nomodeset" in kernel boot option, please refer to the below images:

(RedHat 7.3)

(CentOS 6.9)

Update 19th August 2019 GIGABYTE is aware of a recently security vulnerability, CVE-2019-6260, which affects GIGABYTE server motherboards and systems using ASPEED AST2400 or AST2500 SOC to implement BMC functionality. According to the National Vulnerability Database, the ASPEED AST2400 and AST2500 BMC hardware and firmware implement Advanced High-performance Bus bridges, which can allow arbitrary read and write access to the BMC's physical address space from the host.

If you are using a GIGABYTE server product that uses an ASPEED AST2400 or AST2500 SOC, it is recommended the following action be taken to mitigate this security vulnerability:

1. Download an updated version of the server product BIOS which contains CVE-2019-6260 security patch update.
The BIOS update with CVE-2019-6260 security patch is currently being updated for each server product according to the following schedule (please see each product page - support section to download the latest BIOS version)

CPU / CHIPSETBMC FIRMWAREBMC SOCBIOS UPDATE SCHEDULE
Intel Xeon E (Mehlow) AMI AST2500 Available
AMD EPYC (Naples) AMI AST2500 Available
Cavium ThunderX2 AMI AST2500 Available
2nd Gen. Intel Xeon Scalable (Cascade Lake) AMI AST2500 Available
Intel Xeon D-2100 (Skylake D) AMI AST2500 Available
AMD EPYC (Naples) Vertiv AST2400 Available
Cavium ThunderX Vertiv AST2400 Available
Intel Xeon E3-1200 v6/v5 (Greenlow) Vertiv AST2400 Available
Intel Xeon D-1500 (Broadwell DE) Vertiv AST2400 Available
Intel Xeon E5-2600 v4/v3 (Grantley) Vertiv AST2400 Available

2. Download an updated version of the server product BMC firmware which contains CVE-2019-6260 security patch update.

A. For server products using AMI BMC Firmware (with Megarac SP-X management interface):

  • AMI BMC Firmware: Available (Version 2.83)

(please see each product page - support section to download the latest firmware version)

B. For server products using Vertiv BMC firmware (with Avocent Mergepoint 2.0 management inferface):

  • Vertiv BMC Firmware for AST2400 (x86): Available (Version 8.83_4.83)
  • Vertiv BMC Firmware for AST2400 (Arm): Available (Version 772_372)
  • Vertiv BMC Firmware for AST2500: Available (Version 1.84)

(please see each product page - support section to download the latest firmware version)

For further information on CVE-2019-6260, please see the NATIONAL VULNERABILITY DATABASE CVE-2019-6260 detail page: https://nvd.nist.gov/vuln/detail/CVE-2019-6260

For any further assistance regarding this issue please contact your GIGABYTE sales representative, or file a new support ticket at https://esupport.gigabyte.com