Advisory No: TZCERT/SA/2024/07/26-1
Date of First Release: 26th July 2024
Source: Hewlett-Packard (HP)
Software Affected: HPE ProLiant DL/ML/SY/XL, Alletra Servers, HPE Synergy, HPE Edgeline, HPE Compute Edge Server
Overview:
HPE ProLiant DL/ML/SY/XL, Alletra Servers, HPE Synergy, HPE Edgeline, and HPE Compute Edge Server are vulnerable to critical severity vulnerability. The attackers can leverage the vulnerability to cause a buffer overflow.
Description:
The critical-severity vulnerability affecting several HP products has a CVSS score of 9.8 and is tracked as CVE-2021-38578. The vulnerability results from existing CommBuffer checks in SmmEntryPoint not catching underflow when computing BufferSize. Successful exploitation of this vulnerability could allow the attacker to cause a buffer overflow which may lead to code execution of the affected device.
Impact:
Successful exploitation of this vulnerability may allow an attacker to take control of the vulnerable system
Solution:
HP has released security patches to address the vulnerability. Users and administrators are encouraged to apply necessary updates.
References: