Statement & Response Plan for Vertiv BMC Firmware Vulnerabilities
| Updated: | August 12th 2019 |
|---|---|
| Vulnerabilities: |
|
| Affected Products: | All GIGABYTE server products that use an ASPEED AST2300, AST2400 or AST2500 BMC or AST1250 CMC together with Vertiv Avocent MergePoint EMS Firmware |
Dear Valued Customers & Partners,
GIGABYTE is aware that recently there have been several security vulnerabilities discovered with the Avocent MergePoint EMS platform published by Vertiv and used as firmware for GIGABYTE’s server products with an Aspeed AST2300, AST2400 or AST2500 BMC or AST1250 CMC (as covered by US cyber security research organization Eclypsium in their blog post here):
- CVE-2019-6260: the ASPEED AST2400 and AST2500 Baseband Management Controller (BMC) hardware and firmware implement Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC's physical address space from the host.
- CVE-2018-9086: a command injection vulnerability exists in the BMC firmware download command. This allows a privileged user to download and execute arbitrary code inside the BMC. This can only be exploited by authorized privileged users.
- Cryptographic Verification: the BMC firmware update process for Avocent MergePoint EMS does not perform cryptographic signature verification before accepting updates and writing the contents to SPI flash.
GIGABYTE has issued updated firmware versions (available to download from each product page) with patches to deal with the following vulnerabilities:
- For GIGABYTE products using an ASPEED AST2500, updated Vertiv firmware version 1.84 with patch for vulnerabilities CVE-2019-6260 and CVE-2018-9086 was released on May 7th 2019
- For GIGABYTE products using an ASPEED AST2400, updated Vertiv firmware version 8.83_4.83 with patch for vulnerability CVE-2019-6260 has been released on July 22nd, 2019
- For GIGABYTE products using an ASPEED AST1250 CMC, updated Vertiv firmware version 1.33 with patch for vulnerability CVE-2018-9086 has been released on July 22nd, 2019
GIGABYTE is working rapidly to issue Vertiv firmware updates to mitigate remaining vulnerabilities that have not been resolved with the three updates mentioned above. Please find our current firmware availability / update schedule below (an updated notice in case there is any update or delay to this schedule):
| Vulnerability | AST2500 | AST2400 | AST1250 CMC | AST2400 ARM | AST2300 |
|---|---|---|---|---|---|
| CVE-2019-6260 | Available Patched Version: 1.84 Current Version: 1.91 |
Available Patched Version: 8.83_4.83 Current Version: 8.86_4.86 |
N/A* | Available Patched Version: 771_371 Current Version: 772_372 |
Available Patched / Current Version: 2.43 |
| CVE-2018-9086 | Available Patched Version: 1.84 Current Version: 1.91 |
Available Patched Version: 8.85_4.85 Current Version: 8.86_4.86 |
Available Patched Version: 1.33 Current Version: 1.34 |
Available Patched Version: 771_371 Current Version: 772_372 |
Available Patched / Current Version: 2.43 |
| Cryptographic Signature Firmware Support | Available Patched / Current Version: 1.91 |
Available Patched / Current Version: 8.86_4.86 |
Available Patched / Current Version: 1.34 |
Available Patched / Current Version: 772_372 |
Available Patched / Current Version: 2.43 |
* AST1250 CMC does not support host access function
Furthermore, GIGABYTE has officially announced End of Support (EOS) for Avocent MergePoint EMS. Support will be provided until March 27th, 2020. For customers using all GIGABYTE server products with an ASPEED AST2500 BMC, it is recommended instead they switch over to our new AMI MegaRAC SP-X firmware solution. For further information on the EOS of Vertiv firmware and instructions about how to change to AMI, please see here: https://www.gigabyte.com/Press/News/1700
For more information or assistance, please check with your GIGABYTE sales representative, or create a new support ticket at https://esupport.gigabyte.com
