News

ASPEED AST2400 & AST2500 Security Vunerabilities (CVE-2019-6260)

CVE-2019-6260
2019.03.27

Taipei, Taiwan, 26th March 2019 – GIGABYTE is aware of a recently security vulnerability, CVE-2019-6260, which affects GIGABYTE server motherboards and systems using ASPEED AST2400 or AST2500 SOC to implement BMC functionality. According to the National Vulnerability Database, the ASPEED AST2400 and AST2500 BMC hardware and firmware implement Advanced High-performance Bus bridges, which can allow arbitrary read and write access to the BMC's physical address space from the host.

If you are using a GIGABYTE server product that uses an ASPEED AST2400 or AST2500 SOC, it is recommended the following action be taken to mitigate this security vulnerability:

1. Download an updated version of the server product BIOS which contains CVE-2019-6260 security patch update.
The BIOS update with CVE-2019-6260 security patch is currently being updated for each server product according to the following schedule (please see each product page - support section to download the latest BIOS version)

CPU / CHIPSETSERVER BMC FIRMWARE TYPEBIOS UPDATE SCHEDULE
Intel Xeon E (Mehlow) AMI 3/29
Intel Xeon D (Skylake D) AMI 4/5
AMD EPYC (Naples) AMI 4/12
2nd Gen. Intel Xeon Scalable (Cascade Lake) AMI 4/2
1st Gen. Intel Xeon Scalable (Skylake) Vertiv No schedule yet
Cavium ThunderX / ThunderX2 Vertiv / AMI No schedule yet
All other CPU / chipset Vertiv / AMI No schedule yet

2. Download an updated version of the server product BMC firmware which contains CVE-2019-6260 security patch update.

A. For server products using AMI BMC Firmware (with Megarac SP-X management interface): AMI BMC version 2.83 will be released for download on GIGABYTE's official website on April 1 (please see each product page - support section to download the latest firmware version)

B. For server products using Vertiv BMC firmware (with Avocent Mergepoint 2.0 management inferface): No schedule yet, GIGABYTE is still currently checking with Vertiv.

For further information on CVE-2019-6260, please see the NATIONAL VULNERABILITY DATABASE CVE-2019-6260 detail page: https://nvd.nist.gov/vuln/detail/CVE-2019-6260

For any further assistance regarding this issue, please contact your GIGABYTE sales representative or email GIGABYTE at server.grp (at) gigabyte.com