Power9: A new Power Systems firmware update is being released to address Common Vulnerabilities and Exposures issue number CVE-2021-20487. The Self Boot Engine(SBE) can be compromised from the service processor to allow injection of malicious code. An attacker that gains root access to the service processor could compromise the integrity of the host firmware and bypass the host firmware signature verification process. This compromised state can not be detected through TPM attestation.
CVEID:CVE-2021-20487
**DESCRIPTION:**IBM Power9 Self Boot Engine(SBE) could allow a privileged user to inject malicious code and compromise the integrity of the host firmware bypassing the host firmware signature verification process.
CVSS Base score: 8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197730 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
OPENBMC | OP940 |
Server Firmware | FW930 |
Server Firmware | FW941 |
Server Firmware | FW940 |
Customers with the products below, install FW930.30 or later if using FW930.XX. Install FW940.20 or later if using FW940.XX. Or install FW950.00 or later.
Customers with the products below, install FW950.00 or later
Customers with the products below, install OP940.20 or later
None