NORCROSS, GEORGIA, USA - AMI, a global leader in BIOS and UEFI firmware, server and remote management tools, data storage products and unique solutions based on the Linux® and Android™ operating systems, has released an additional statement clarifying the impact of the "Meltdown" and "Spectre" security vulnerabilities on its MegaRAC® SP-X Service Processor Firmware as implemented on Arm®-based BMC SoCs from ASPEED Technology Inc.
In reports issued earlier this year by security analysts, it was disclosed that several different Arm processor cores were potentially impacted by the Spectre and Meltdown vulnerabilities. In response, one of the first actions by taken by AMI was to complete comprehensive vulnerability testing of our MegaRAC SP-X Service Processor Firmware for Baseboard Management Controllers (BMCs) and each of the SoC platforms that utilize it. Soon after, AMI issued a Security Advisory to our key OEM and ODM customers and reassure them that these vulnerabilities did not affect MegaRAC SP-X. In particular, AMI would like to emphasize that users of AMI's MegaRAC SP-X Service Processor Firmware should not be concerned about these reports with respect to our MegaRAC firmware or the Arm11™-based ASPEED AST2500 BMC SoC and Arm9™-based ASPEED AST2300 and 2400 BMC SoCs.
The MegaRAC team at AMI has worked closely with ASPEED Technology Inc. and other silicon vendors to identify any potential vulnerabilities. A Security Advisory has already been issued to OEM/ODM customers of AMI soon after this news emerged, and we are now sharing it with the general public.
In our Security Advisory, AMI detailed how we have reviewed these security issues in detail and determined that MegaRAC SP-X is not affected or compromised by either of these vulnerabilities in any way when operating on the ASPEED AST2300, AST2400 and AST2500 BMC SoCs. To summarize this Advisory, it should be noted that all MegaRAC management stacks run a controlled, and pre-defined firmware environment on the BMC SoCs. This restricts running an external application/software on the BMC SoC at runtime. So, no external, malicious application or software can be executed on the BMC SoC, to exploit the reported vulnerabilities.
Subramonian Shankar, President, Founder and CEO of AMI, offered the following comments on the company's recent activities and position regarding these security issues:
"Over the years, AMI has come up with what we believe to be a robust security framework, which allows us to keep tabs on the security vulnerabilities that are relevant to AMI products and take immediate action. From our perspective, we don't see the threat of security issues like Meltdown and Spectre going away in the future. Therefore, it is imperative that we work closely with our partner Arm-based silicon providers and other silicon manufacturers to continue to address them. We see ourselves as a partner with silicon manufacturers in many technical and strategic initiatives over the course of many years and we will continue to do so, to address security vulnerabilities in a timely, coordinated and effective manner."
AMI will continue to monitor the security situation around Meltdown and Spectre closely as it evolves and make the public, as well as our valued partners, OEM and ODM customers and end users of AMI products, aware of any additional details that may emerge. AMI stands with our technology partners such as ASPEED Technology Inc. to help create a secure computing world.
AMI recommends that systems vulnerable to Meltdown and Spectre security vulnerabilities apply all appropriate operating system security patches, which can be obtained directly from the operating system vendor. To learn more about MegaRAC SP-X Service Processor Firmware from AMI, please visit https://ami.com/en/products/remote-management/service-processor/.
ASPEED is a trademark of ASPEED Technology Inc. in the US and other countries. Arm, Arm9 and Arm11 are trademarks or registered trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere.
Founded in 1985 and known worldwide for AMIBIOS®, the mission of AMI is to power, manage and secure connected devices by providing best-in-class UEFI and remote management firmware, software and utilities to top-tier manufacturers of desktop, server, mobile and embedded/IoT systems. In line with its technology focus, AMI is a member of numerous industry associations and standards groups, such as the Unified EFI Forum (UEFI), the NIST National Cybersecurity Excellence Partnership (NCEP) and Trusted Computing Group (TCG). Headquartered in Duluth, Georgia, AMI has locations in the U.S., China, Germany, India, Japan, Korea, Taiwan and Hong Kong to better serve its customers.
For more information on AMI, its products or services, call 1-800-U-BUY-AMI or visit ami.com.
Statement of Liability: © 2020 AMI Product specifications are subject to change without notice. Products mentioned may be trademarks or registered trademarks of their respective companies. All rights reserved. No warranties are made, either express or implied, with regard to the contents of this work, its merchantability or fitness for a particular use. This publication contains proprietary information, which is protected by copyright. AMI reserves the right to update, change and/or modify this product at anytime.