HPE Community
ProLiant Servers (ML,DL,SL)
1820623 Members
2210 Online
109626 Solutions
New Discussion

Re: Critical vulnerability CVE-2021-38578 in servers with System ROM prior to May 2024

 
RuneH
Occasional Contributor

‎07-23-2024 07:50 AM - last edited on ‎07-31-2024 05:53 PM by

‎07-23-2024 07:50 AM - last edited on ‎07-31-2024 05:53 PM by

Critical vulnerability CVE-2021-38578 in servers with System ROM prior to May 2024

HPE has just published a security bulletin with Severity High, "HPESBHF04671 rev.1 - Certian HPE ProLiant DL/ML/SY/XL and Alletra Servers, Out-of-Bounds Write Vulnerability":

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04671en_us

And the corresponding CVE has a score of at least 9.8 Critical:

https://nvd.nist.gov/vuln/detail/CVE-2021-38578

So for DL360 Gen11 servers they must be upgraded to System ROM v2.20_05-27-2024 to patch this vulnerability. But the release notes only marks it with Upgrade Requirement "Recommended". The same goes for the latest BIOS v3.20 for DL360 Gen10.

https://support.hpe.com/connect/s/softwaredetails?collectionId=MTX-4f0883f832e649e7&softwareId=MTX_0a6de5de30d241dda1448bc7e4&tab=Fixes

Question 1: Can someone explain the apparent discrepancy between the criticalitiy levels here?

Question 2: I see Gen11 has a more recent update v2.22 marked as Critical, but that doesn't seem to have anything to do with the CVE-2021-38578 vulnerability. Is that correct?

A CVE score of 9.8 seems pretty serious. The release notes only states "The security vulnerabilities are documented in the CVE report site", but the CVE just says "Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize". That's not very useful.

Question3: Can someone explain or point to any documentation on what attack vectors there are for servers running vulnerable System ROM versions?

3 people had this problem.
Reply
3 REPLIES 3
Sham82
HPE Pro

‎07-28-2024 08:34 PM

‎07-28-2024 08:34 PM

Re: Critical vulnerability CVE-2021-38578 in servers with System ROM prior to May 2024

Hello  RuneH,
Thank you for your post.

as mentioned in the revision history :
"This revision of the System ROM includes the mitigation for security vulnerabilities CVE-2023-5678, CVE-2024-0727, CVE-2021-38578 and CVE-2023-45229. The security vulnerabilities are documented in the CVE report site. They are not unique to HPE servers."

If you have further questions on the same , We would suggest you to write to "security@hpe.com" with your queries.

Regards
HPE



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
RuneH
Occasional Contributor

‎07-29-2024 02:13 AM - edited ‎07-29-2024 02:13 AM

‎07-29-2024 02:13 AM - edited ‎07-29-2024 02:13 AM

Re: Critical vulnerability CVE-2021-38578 in servers with System ROM prior to May 2024

No, I would suggest that YOU contact your HPE Security team and invite them here to answer these questions

Reply
Sham82
HPE Pro

‎07-29-2024 05:42 PM

‎07-29-2024 05:42 PM

Re: Critical vulnerability CVE-2021-38578 in servers with System ROM prior to May 2024

Hello RuneH,

That is our internal team.
We request you to log a HPE support case.
https://support.hpe.com/hpesc/public/usageSupport

 

Regards
HPE



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.