Intel SPS End of Manufacturing Not Executed for Certain ThinkSystem SR670V2 Servers

Intel SPS End of Manufacturing Not Executed for Certain ThinkSystem SR670V2 Servers

Intel SPS End of Manufacturing Not Executed for Certain ThinkSystem SR670V2 Servers

Lenovo Security Advisory: LEN-150020

Potential Impact: Tampering

Severity: Low

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2024-23591

 

Summary Description:

A customer reported to Lenovo in December 2023 that Intel Server Platform Services (SPS) End of Manufacturing (EOM) was not properly executed on a several ThinkSystem SR670V2 motherboards. Upon investigation it was determined that ThinkSystem SR670V2 servers manufactured from approximately June 2021 to July 2023 were left in Manufacturing Mode.

ThinkSystem SR670V2 systems in Manufacturing Mode could allow an attacker with privileged logical access to the host or physical access to server internals to modify or disable Intel Boot Guard firmware integrity, SPS security, and other SPS configuration setting.

ThinkSystem V2 (and later) servers, including the ThinkSystem SR670V2, contain a parallel NIST SP 800-193-compliant Platform Firmware Resiliency (PFR) security subsystem which significantly mitigates this issue by ensuring firmware integrity and maintaining most SPS settings in their intended state even if tamper has occurred.

A UEFI firmware update is available which re-asserts intended SPS settings and automatically executes EOM on host reboot, if applicable. Motherboard manufacturing process enhancements have also been implemented.

 

Mitigation Strategy for Customers (what you should do to protect yourself):

Update system UEFI firmware to version u8e126i-2.20 (or newer) indicated for your model in the Product Impact section.

Customers can optionally use Intel’s spsInfo utility for Windows, Linux, and UEFI Shell to identify affected ThinkSystem SR670V2 servers and confirm proper SPS settings after installing the UEFI firmware update.

Download spsInfo from: https://download.lenovo.com/km/media/psecurity/spsInfo_4.2.97.709.zip
[SHA256: a400de7ccd1d14dc33d04475720e3cbf3e64ab0977de2706b17a16dcab27f7c9]

spsInfo will output configured SPS settings. The subset of key intended settings as seen on unaffected and post-update ThinkSystem SR670V2 servers are:

 

 

FW Status Register 1: 0x010F0245

  Manufacturing Mode (4):       Disabled (0)

  FD0V Status (24):             Status Completed successfully (1)

 

 

FW Status Register 5: 0x00001F03

  Boot Guard ACM Active (0):    Boot Guard ACM is active (1)

  Boot Guard ACM DONE STS (8):  Boot Guard ACM is done (1)

 

 

FW Status Register 6: 0xC4400BC9

  Measured Boot Policy (8):     Enable (1)

  Verified Boot Policy (9):     Enable (1)

  Config lock (30):             Yes (1)

 

Successful EOM is noted by the “Manufacturing Mode (4)” parameter having a value of “Disabled (0)”.

 

Product Impact:

To download the version specified for your product below, follow these steps:

Navigate to the Drivers & Software support site for your product:

  1. Search for your product by name or machine type.
  2. Click Drivers & Software on the left menu panel.
  3. Click on Manual Update to browse by Component type.
  4. Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.

Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:

PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759

Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center

 

Click below links to view affected products:

ThinkSystem

 

Acknowledgement:

Lenovo thanks Eclypsium’s Supply Chain Security Solution for identifying instances of this issue.

 

Revision History:

Revision Date Description
2 2024-02-14 Updated product impact
1 2024-02-13 Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.

 

Product Impact:

ThinkSystem

Product Component Minimum Fixed Version
SR670 V2 (ThinkSystem) Lenovo ThinkSystem SR670v2 U8E126I-2.20

Alias Id:LEN-150020
Document ID:PS500606
Original Publish Date:02/13/2024
Last Modified Date:02/14/2024