Vulnerabilities affecting BullSequana servers
On February 1st, 2022, CERT-CC, Insyde Inc., and Binarly Inc. collectively disclosed a set of vulnerabilities affecting InsydeH2O Hardware-2-Operating System (H2O) UEFI Bios.
These vulnerabilities generalize to all Intel and AMD chipset configurations a 2020 vulnerability affecting a version of InsydeH2O that supported a specific Intel chipset (CVE-2020-5953). They affect any product using UEFI Bios based on InsydeH2O, including some BullSequana products.
Atos is liaising closely with its suppliers and investigating the exact nature of these vulnerabilities to provide validated remediation.
The management part of the platforms (BMC) is not affected by these vulnerabilities. The vulnerability lies in the computing part of the servers.
An administrative access to the host would allow to implement hardly detectable malware in the System Management Mode (SMM) area. Under certain circumstances, these vulnerabilities could help to circumvent secure boot and other security features which preserve the integrity of the platform firmware.
See attached Security Bulletin for more details.