QCT Security Notice
30 May. 2022

Quanta Cloud Technology (QCT) has addressed a security vulnerability known as CVE-2019-6260 and “Pantsdown.”

The vulnerability, whose details were disclosed in early 2019, affects ASPEED AST2400 and AST2500 BMC hardware and firmware implementing Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC's physical address space from the host and — in some cases — from the network.

QCT has found a solution to this vulnerability by disabling all SoCFlash interfaces through modifying registers in the ASPEED chip without affecting normal functions according to ASPEED’s official suggestion.

Updated firmware for QuantaGrid D52B has completed validation and is now available upon customers’ request.





編號CVE-2019-6260(外號Pantsdown)的安全性漏洞在2019年初被發現,詳見相關資訊。它影響由臺灣信驊科技(ASPEED)生產、安裝先進高性能匯流排橋接器的ASPEED AST2400及AST2500硬體與韌體,讓惡意程式可從主機(少部份情況下可透過網路)進行非授權存取,在基板管理控制器(Baseboard Management Controller, BMC)實體位址空間任意讀寫。


雲達科技已完成受影響的QuantaGrid D52B伺服器韌體驗證及更新,提供給有需要的客戶使用。