Press Release

Quanta Cloud Technology (QCT) has addressed a security vulnerability known as CVE-2019-6260 and “Pantsdown.”

The vulnerability, whose details were disclosed in early 2019, affects ASPEED AST2400 and AST2500 BMC hardware and firmware implementing Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC's physical address space from the host and — in some cases — from the network.

QCT has found a solution to this vulnerability by disabling all SoCFlash interfaces through modifying registers in the ASPEED chip without affecting normal functions according to ASPEED’s official suggestion.

Updated firmware for QuantaGrid D52B has completed validation and is now available upon customers’ request.

雲達科技安全性通知

雲達科技（QCT）已修補編號CVE-2019-6260（外號Pantsdown）的安全性漏洞

編號CVE-2019-6260（外號Pantsdown）的安全性漏洞在2019年初被發現，詳見相關資訊。它影響由臺灣信驊科技（ASPEED）生產、安裝先進高性能匯流排橋接器的ASPEED AST2400及AST2500硬體與韌體，讓惡意程式可從主機（少部份情況下可透過網路）進行非授權存取，在基板管理控制器（Baseboard Management Controller, BMC）實體位址空間任意讀寫。

根據ASPEED的建議，雲達科技已修補此項安全性漏洞，在不影響正常功能的前提下，透過修改ASPEED晶片上的暫存器，解除所有SoCFlash介面的作用。

雲達科技已完成受影響的QuantaGrid D52B伺服器韌體驗證及更新，提供給有需要的客戶使用。