Intel SPS End of Manufacturing Not Executed for Certain ThinkSystem SR670V2 Servers
Intel SPS End of Manufacturing Not Executed for Certain ThinkSystem SR670V2 Servers
Intel SPS End of Manufacturing Not Executed for Certain ThinkSystem SR670V2 Servers
Lenovo Security Advisory: LEN-150020
Potential Impact: Tampering
Severity: Low
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2024-23591
Summary Description:
A customer reported to Lenovo in December 2023 that Intel Server Platform Services (SPS) End of Manufacturing (EOM) was not properly executed on a several ThinkSystem SR670V2 motherboards. Upon investigation it was determined that ThinkSystem SR670V2 servers manufactured from approximately June 2021 to July 2023 were left in Manufacturing Mode.
ThinkSystem SR670V2 systems in Manufacturing Mode could allow an attacker with privileged logical access to the host or physical access to server internals to modify or disable Intel Boot Guard firmware integrity, SPS security, and other SPS configuration setting.
ThinkSystem V2 (and later) servers, including the ThinkSystem SR670V2, contain a parallel NIST SP 800-193-compliant Platform Firmware Resiliency (PFR) security subsystem which significantly mitigates this issue by ensuring firmware integrity and maintaining most SPS settings in their intended state even if tamper has occurred.
A UEFI firmware update is available which re-asserts intended SPS settings and automatically executes EOM on host reboot, if applicable. Motherboard manufacturing process enhancements have also been implemented.
Mitigation Strategy for Customers (what you should do to protect yourself):
Update system UEFI firmware to version u8e126i-2.20 (or newer) indicated for your model in the Product Impact section.
Customers can optionally use Intel’s spsInfo utility for Windows, Linux, and UEFI Shell to identify affected ThinkSystem SR670V2 servers and confirm proper SPS settings after installing the UEFI firmware update.
Download spsInfo from: https://download.lenovo.com/km/media/psecurity/spsInfo_4.2.97.709.zip
[SHA256: a400de7ccd1d14dc33d04475720e3cbf3e64ab0977de2706b17a16dcab27f7c9]
spsInfo will output configured SPS settings. The subset of key intended settings as seen on unaffected and post-update ThinkSystem SR670V2 servers are:
FW Status Register 1: 0x010F0245
…
Manufacturing Mode (4): Disabled (0)
…
FD0V Status (24): Status Completed successfully (1)
…
FW Status Register 5: 0x00001F03
Boot Guard ACM Active (0): Boot Guard ACM is active (1)
…
Boot Guard ACM DONE STS (8): Boot Guard ACM is done (1)
…
FW Status Register 6: 0xC4400BC9
…
Measured Boot Policy (8): Enable (1)
Verified Boot Policy (9): Enable (1)
…
Config lock (30): Yes (1)
Successful EOM is noted by the “Manufacturing Mode (4)” parameter having a value of “Disabled (0)”.
To download the version specified for your product below, follow these steps:
Navigate to the Drivers & Software support site for your product:
- Lenovo Products (sold worldwide, except in China): https://support.lenovo.com/
- Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
- IBM-branded System x Legacy Products: https://www.ibm.com/support/fixcentral/
- Search for your product by name or machine type.
- Click Drivers & Software on the left menu panel.
- Click on Manual Update to browse by Component type.
- Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.
Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:
PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759
Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center
Click below links to view affected products:
Acknowledgement:
Lenovo thanks Eclypsium’s Supply Chain Security Solution for identifying instances of this issue.
Revision History:
Revision | Date | Description |
---|---|---|
2 | 2024-02-14 | Updated product impact |
1 | 2024-02-13 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Product Impact:
Product | Component | Minimum Fixed Version |
SR670 V2 (ThinkSystem) | Lenovo ThinkSystem SR670v2 | U8E126I-2.20 |
Your feedback helps to improve the overall experience