Print | Rate this content

Bulletin: HPE ProLiant Gen9 Servers - Potential Security Vulnerability in the HPE Trusted Platform Module 2.0 Option Firmware Version 5.51 for HPE ProLiant Gen9 Servers

SUPPORT COMMUNICATION - CUSTOMER BULLETIN

Document ID: a00028289en_us

Version: 3

Bulletin: (Revision) HPE ProLiant Gen9 Servers - Potential Vulnerability in the HPE Trusted Platform Module 2.0 Option Firmware Version 5.51 for HPE ProLiant Gen9 Servers
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2017-10-27

Last Updated: 2017-10-27


DESCRIPTION

Document Version
Release Date
Details
3
10/27/2017
Updated Resolution to include information regarding System ROM Version 2.52.
Updated Scope to indicate this is not an HPE-specific issue.
Updated Scope to indicate HPE Gen10 TPM 1.2 Option Kit (Part Number 872108-B21) and HPE Gen10 TPM 2.0 Option Kit (Part Number 864279-B21) are not affected.
2
10/19/2017
Updated Description, added CVE-2017-15361.
1
10/10/2017
Original Document Release.

A vulnerability (CVE-2017-15361) has been identified in HPE ProLiant Gen 9 servers configured with Trusted Platform Module (TPM) 2.0 with firmware version 5.51. An algorithm within the firmware has been discovered to generate weaker RSA keys. The vulnerability is within the firmware and not with the TPM module.

This is not HPE-specific. This also affects any system using a non-HPE branded TPM option with firmware version 5.51.

Please refer to the Infineon advisory located at the following Infineon website for details:

https://www.infineon.com/TPM-update Non-HPE site

NOTE: The link above will take you outside the HPE website. HPE is not responsible for content outside of the HPE website.

SCOPE

Any HPE ProLiant Gen9 server with the HPE TPM 2.0 option (part number 745823-B21) firmware version 5.51 (TPM firmware version 5.62 or later is not affected.) The HPE TPM 2.0 option is not standard on HPE ProLiant Gen9 servers.

Note 1: The HPE Gen10 TPM 1.2 Option Kit (Part Number 872108-B21) and HPE Gen10 TPM 2.0 option kit (Part Number 864279-B21) are NOT affected.

Note 2: The HPE TPM 1.2 Option Kit (Part Number 488069-B21) for HPE ProLiant G6 through ProLiant Gen9 servers is NOT affected.

RESOLUTION

To correct this issue, update the "HPE Trusted Platform Module 2.0 Option" to firmware version 5.62. After the firmware upgrade, the TPM will generate RSA keys using an improved algorithm. Revoking the weak TPM generated RSA keys will still be required. Refer to the OS documentation for OS-specific instructions. In addition, a System ROM update to version 2.50 (or later) is required and the TPM must be enabled before updating the TPM 2.0 firmware.

The latest version of the System ROM is available as follows:

  1. Click the following link:

    http://www.hpe.com/support/hpesc

  2. Enter a product name (e.g., "DL380 Gen9") in the text field under Enter a Product Name or Number.
  3. Click Go.
  4. Select the appropriate product model from the Results list (if prompted).
  5. Click the "drivers, software & firmware" hyperlink under the Download Options tab.
  6. Select the system's specific operating system from the Operating Systems dropdown menu.
  7. Click the category BIOS - System ROM.
  8. Select the latest release of HPE System ROM Version 2.50 (or later).
  9. Click Download.

The latest version of the TPM firmware is available as follows:

  1. Click the following link:

    http://www.hpe.com/support/hpesc

  2. Enter a product name (e.g., "DL380 Gen9") in the text field under Enter a Product Name or Number.
  3. Click Go.
  4. Select the appropriate product model from the Results list (if prompted).
  5. Click the "drivers, software & firmware" hyperlink under the Download Options tab.
  6. Select the system's specific operating system from the Operating Systems dropdown menu.
  7. Click the category Firmware.
  8. Select the latest release of the HPE Trusted Platform Module 2.0 Option firmware update for HPE Gen9 Severs Version 5.62 (or later).
  9. Click Download.

Please note that the following servers use System ROM Version 2.50 (or later):

  • HPE ProLiant DL580 Gen9 server
  • HPE ProLiant DL20 Gen9 server
  • HPE ProLiant ML30 Gen9 server
  • HPE Synergy 620 Gen9 Compute Module
  • HPE Synergy 680 Gen9 Compute Module

Please note that the following servers use System ROM Version 2.52 (or later), as version 2.50 is no longer available for download:

  • HPE Apollo 4200 Gen9 Server
  • HPE ProLiant BL460c Gen9 Server Blade
  • HPE ProLiant BL660c Gen9 Server Blade
  • HPE ProLiant DL120 Gen9 Server
  • HPE ProLiant DL160 Gen9 Server
  • HPE ProLiant DL180 Gen9 Server
  • HPE ProLiant DL180 Gen9 Server
  • HPE ProLiant DL360 Gen9 Server
  • HPE ProLiant DL380 Gen9 Server
  • HPE ProLiant DL560 Gen9 Server
  • HPE ProLiant DL60 Gen9 Server
  • HPE ProLiant DL80 Gen9 Server
  • HPE ProLiant ML110 Gen9 Server
  • HPE ProLiant ML150 Gen9 Server
  • HPE ProLiant ML350 Gen9 Server
  • HPE ProLiant WS460c Gen9 Graphics Server Blade
  • HPE ProLiant XL170r Gen9 Server
  • HPE ProLiant XL230a Gen9 Server
  • HPE ProLiant XL250a Gen9 Server
  • HPE ProLiant XL260a Gen9 Server
  • HPE ProLiant XL450 Gen9 Server
  • HPE ProLiant XL730f Gen9 Server
  • HPE ProLiant XL740f Gen9 Server
  • HPE ProLiant XL750f Gen9 Server
  • HPE Synergy 480 Gen9 Compute Module
  • HPE Synergy 660 Gen9 Compute Module




RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.

NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document .

SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips document .

To search for additional advisories related to the HPE Trusted Platform Module 2.0, use the following search string:

+Advisory +ProLiant -"Software and Drivers" +"HPE Trusted Platform Module 2.0"


Hardware Platforms Affected: HPE ProLiant ML30 Gen9 Server, HPE ProLiant DL20 Gen9 Server, HPE Synergy 480 Gen9 Compute Module, HPE Synergy 660 Gen9 Compute Module, HPE Synergy 620 Gen9 Compute Module, HPE Synergy 680 Gen9 Compute Module, HPE ProLiant XL260a Gen9 Server, HPE ProLiant XL730f Gen9 Server, HPE ProLiant DL160 Gen9 Server, HPE ProLiant DL180 Gen9 Server, HPE ProLiant DL360 Gen9 Server, HPE ProLiant BL460c Gen9 Server Blade, HPE ProLiant DL380 Gen9 Server, HPE ProLiant ML350 Gen9 Server, HPE ProLiant XL230a Gen9 Server, HPE ProLiant XL250a Gen9 Server, HPE ProLiant XL740f Gen9 Server, HPE ProLiant XL750f Gen9 Server, HPE ProLiant DL120 Gen9 Server, HPE ProLiant ML150 Gen9 Server, HPE ProLiant DL60 Gen9 Server, HPE ProLiant DL80 Gen9 Server, HPE ProLiant ML110 Gen9 Server, HPE ProLiant XL170r Gen9 Server, HPE ProLiant DL580 Gen9 Server, HPE ProLiant BL660c Gen9 Server Blade, HPE ProLiant DL560 Gen9 Server, HPE Apollo 4200 Gen9 Server, HPE ProLiant XL450 Gen9 Server
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: SIK2594
©Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: Bulletin: HPE ProLiant Gen9 Servers - Potential Security Vulnerability in the HPE Trusted Platform Module 2.0 Option Firmware Version 5.51 for HPE ProLiant Gen9 Servers
Document ID: emr_na-a00028289en_us-3
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.