https://community.hpe.com/t5/proliant-servers-ml-dl-sl/critical-vulnerability-cve-2021-38578-in-servers-with-system-rom/m-p/7221123#M188096 <P>HPE has just published a security bulletin with Severity High, "HPESBHF04671 rev.1 - Certian HPE ProLiant DL/ML/SY/XL and Alletra Servers, Out-of-Bounds Write Vulnerability":</P><P><A href="https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&amp;docId=hpesbhf04671en_us" target="_blank" rel="noopener">https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&amp;docId=hpesbhf04671en_us</A></P><P>And the corresponding CVE has a score of at least 9.8 Critical:</P><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2021-38578" target="_blank" rel="noopener">https://nvd.nist.gov/vuln/detail/CVE-2021-38578</A></P><P>So for DL360 Gen11 servers they must be upgraded to System ROM v2.20_05-27-2024 to patch this vulnerability. But the release notes only marks it with Upgrade Requirement "Recommended". The same goes for the latest BIOS v3.20 for DL360 Gen10.</P><P><A href="https://support.hpe.com/connect/s/softwaredetails?collectionId=MTX-4f0883f832e649e7&amp;softwareId=MTX_0a6de5de30d241dda1448bc7e4&amp;tab=Fixes" target="_blank" rel="noopener">https://support.hpe.com/connect/s/softwaredetails?collectionId=MTX-4f0883f832e649e7&amp;softwareId=MTX_0a6de5de30d241dda1448bc7e4&amp;tab=Fixes</A></P><P>Question 1: Can someone explain the apparent discrepancy between the criticalitiy levels here?</P><P>Question 2: I see Gen11 has a more recent update v2.22 marked as Critical, but that doesn't seem to have anything to do with the CVE-2021-38578 vulnerability. Is that correct?</P><P>A CVE score of 9.8 seems pretty serious. The release notes only states "The security vulnerabilities are documented in the CVE report site", but the CVE just says "Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize". That's not very useful.</P><P>Question3: Can someone explain or point to any documentation on what attack vectors there are for servers running vulnerable System ROM versions?</P> Thu, 01 Aug 2024 00:53:34 GMT RuneH 2024-08-01T00:53:34Z https://community.hpe.com/t5/proliant-servers-ml-dl-sl/critical-vulnerability-cve-2021-38578-in-servers-with-system-rom/m-p/7221123#M188096 <P>HPE has just published a security bulletin with Severity High, "HPESBHF04671 rev.1 - Certian HPE ProLiant DL/ML/SY/XL and Alletra Servers, Out-of-Bounds Write Vulnerability":</P><P><A href="https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&amp;docId=hpesbhf04671en_us" target="_blank" rel="noopener">https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&amp;docId=hpesbhf04671en_us</A></P><P>And the corresponding CVE has a score of at least 9.8 Critical:</P><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2021-38578" target="_blank" rel="noopener">https://nvd.nist.gov/vuln/detail/CVE-2021-38578</A></P><P>So for DL360 Gen11 servers they must be upgraded to System ROM v2.20_05-27-2024 to patch this vulnerability. But the release notes only marks it with Upgrade Requirement "Recommended". The same goes for the latest BIOS v3.20 for DL360 Gen10.</P><P><A href="https://support.hpe.com/connect/s/softwaredetails?collectionId=MTX-4f0883f832e649e7&amp;softwareId=MTX_0a6de5de30d241dda1448bc7e4&amp;tab=Fixes" target="_blank" rel="noopener">https://support.hpe.com/connect/s/softwaredetails?collectionId=MTX-4f0883f832e649e7&amp;softwareId=MTX_0a6de5de30d241dda1448bc7e4&amp;tab=Fixes</A></P><P>Question 1: Can someone explain the apparent discrepancy between the criticalitiy levels here?</P><P>Question 2: I see Gen11 has a more recent update v2.22 marked as Critical, but that doesn't seem to have anything to do with the CVE-2021-38578 vulnerability. Is that correct?</P><P>A CVE score of 9.8 seems pretty serious. The release notes only states "The security vulnerabilities are documented in the CVE report site", but the CVE just says "Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize". That's not very useful.</P><P>Question3: Can someone explain or point to any documentation on what attack vectors there are for servers running vulnerable System ROM versions?</P> Thu, 01 Aug 2024 00:53:34 GMT https://community.hpe.com/t5/proliant-servers-ml-dl-sl/critical-vulnerability-cve-2021-38578-in-servers-with-system-rom/m-p/7221123#M188096 RuneH 2024-08-01T00:53:34Z https://community.hpe.com/t5/proliant-servers-ml-dl-sl/critical-vulnerability-cve-2021-38578-in-servers-with-system-rom/m-p/7221433#M188158 <P dir="auto" style="margin: 0;">Hello &nbsp;RuneH,<BR />Thank you for your post.</P> <P dir="auto" style="margin: 0;">as mentioned in the revision history :<BR />"This revision of the System ROM includes the mitigation for security vulnerabilities CVE-2023-5678, CVE-2024-0727, CVE-2021-38578 and CVE-2023-45229. The security vulnerabilities are documented in the CVE report site. They are not unique to HPE servers."</P> <P dir="auto" style="margin: 0;">If you have further questions on the same , We would suggest you to write to "security@hpe.com" with your queries.<BR /><BR /></P> <P dir="auto" style="margin: 0;">Regards<BR />HPE</P> Mon, 29 Jul 2024 03:34:30 GMT https://community.hpe.com/t5/proliant-servers-ml-dl-sl/critical-vulnerability-cve-2021-38578-in-servers-with-system-rom/m-p/7221433#M188158 Sham82 2024-07-29T03:34:30Z https://community.hpe.com/t5/proliant-servers-ml-dl-sl/critical-vulnerability-cve-2021-38578-in-servers-with-system-rom/m-p/7221461#M188165 <P>No, I would suggest that YOU contact your HPE Security team and invite them here to answer these questions <LI-EMOJI id="lia_slightly-smiling-face" title=":slightly_smiling_face:"></LI-EMOJI></P> Mon, 29 Jul 2024 09:13:55 GMT https://community.hpe.com/t5/proliant-servers-ml-dl-sl/critical-vulnerability-cve-2021-38578-in-servers-with-system-rom/m-p/7221461#M188165 RuneH 2024-07-29T09:13:55Z https://community.hpe.com/t5/proliant-servers-ml-dl-sl/critical-vulnerability-cve-2021-38578-in-servers-with-system-rom/m-p/7221535#M188188 <P dir="auto" style="margin: 0;">Hello RuneH,</P> <P dir="auto" style="margin: 0;">That is our internal team.<BR />We request you to log a HPE support case.<BR /><A href="https://support.hpe.com/hpesc/public/usageSupport" target="_blank">https://support.hpe.com/hpesc/public/usageSupport</A></P> <P dir="auto" style="margin: 0;">&nbsp;</P> <P dir="auto" style="margin: 0;">Regards<BR />HPE</P> Tue, 30 Jul 2024 00:42:08 GMT https://community.hpe.com/t5/proliant-servers-ml-dl-sl/critical-vulnerability-cve-2021-38578-in-servers-with-system-rom/m-p/7221535#M188188 Sham82 2024-07-30T00:42:08Z