Security Bulletin: Denial of service vulnerability affects IBM Unified Extensible Firmware Interface (CVE-2017-5703)

Summary

IBM System x, Flex and BladeCenter systems have addressed the following denial of service vulnerability in Unified Extensible Firmware Interface (UEFI).

Vulnerability Details

CVEID: CVE-2017-5703 DESCRIPTION: Multiple Intel platforms are vulnerable to a denial of service, caused by the configuration of SPI Flash controllers inside multiple intel chipsets. A local authenticated attacker could exploit this vulnerability to block BIOS/UEFI updates and alter the behavior of the SPI Flash resulting in a denial of service.
CVSS Base Score: 7.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141349&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H)

Affected Products and Versions

Product

|

Affected Version

—|—

BladeCenter HS23 7875/1929

|

tke1

BladeCenter HS23E 8038/8039

|

ahe1

Flex System x220 2585/7906

|

kse1

Flex System x222 7916

|

cce1

Flex System x240 7863/8737/8738/8956

|

b2e1

Flex System x440 7917

|

cne1

System x iDataPlex dx360 M4 7912/7913

|

tde1

System x NeXtScale nx360 M4 5455

|

fhe1

System x3100 M4 2582
System x3250 M4 2583

|

jqe1

System x3300 M4 7382

|

yae1

System x3500 M4 7383

|

y5e1

System x3550 M4 7914

|

d7e1

System x3630 M4 7158
System x3530 M4 7160

|

bee1

System x3650 M4 7915
System x3650 M4 HD 5460

|

vve1

System x3650 M4 BD 5466

|

yoe1

System x3750 M4 8718/8722/8733/8752

|

koe1

Remediation/Fixes

Firmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/&gt;

Product

|

Fix Version

—|—

BladeCenter HS23 7875/1929
(ibm_fw_uefi_tke160c-2.40_anyos_32-64)

|

tke160c-2.40

BladeCenter HS23E 8038/8039
(ibm_fw_uefi_ahe160c-2.80_anyos_32-64)

|

ahe160c-2.80

Flex System x220 2585/7906
(ibm_fw_uefi_kse158c-2.20_anyos_32-64)

|

kse158c-2.20

Flex System x222 7916
(ibm_fw_uefi_cce160c-2.00_anyos_32-64)

|

cce160c-2.00

Flex System x240 7863/8737/8738/8956
(ibm_fw_uefi_b2e162c-2.20_anyos_32-64)

|

b2e162c-2.20

Flex System x440 7917
(ibm_fw_uefi_cne162d-2.10_anyos_32-64)

|

cne162d-2.10

System x iDataPlex dx360 M4 7912/7913
(ibm_fw_uefi_tde156c-2.10_anyos_32-64)

|

tde156c-2.10

System x NeXtScale nx360 M4 5455
(ibm_fw_uefi_fhe120d-1.90_anyos_32-64)

|

fhe120d-1.90

System x3100 M4 2582
System x3250 M4 2583
(ibm_fw_uefi_jqe184c-1.90_anyos_32-64)

|

jqe184cs-1.90

System x3300 M4 7382
(ibm_fw_uefi_yae156c-2.10_anyos_32-64)

|

yae156C - 2.10

System x3500 M4 7383
(ibm_fw_uefi_y5e158c-2.60_anyos_32-64)

|

y5e158c-2.60

System x3550 M4 7914
(ibm_fw_uefi_d7e164c-2.70_anyos_32-64)

|

d7e164c-2.70

System x3630 M4 7158
System x3530 M4 7160
(ibm_fw_uefi_bee164c-3.00_anyos_32-64)

|

bee164c-3.00

System x3650 M4 7915
System x3650 M4 HD 5460
(ibm_fw_uefi_vve160c-2.70_anyos_32-64)

|

vve160c-2.70

System x3650 M4 BD 5466
(ibm_fw_uefi_yoe126c-2.20_anyos_32-64)

|

yoe126c-2.20

System x3750 M4 8718/8722/8733/8752
(ibm_fw_uefi_koe160c-2.20_anyos_32-64)

|

koe160c-2.20

Workarounds and Mitigations

None