Hewlett Packard Enterprise Product Security Vulnerability Alerts
TPM-FAIL Vulnerability (CVE-2019-16863)
Version 2.0 : Last Updated: February 4, 2020
This website is updated frequently, as new product information becomes available.
In May 2019, ST Micro, a Trusted Platform Module (TPM) vendor was contacted by an academic team who described a security vulnerability discovered with an ST TPM. The vulnerability targets the Elliptic Curve Digital Signature Algorithm (ECDSA) signature generation function supported by an identified TPM product (ST33TPHF2ESPI - Firmware 73.4). The attack is based on TPM command timing execution measurements (CVE-2019-16863).
The researchers who disclosed TPM-FAIL also listed Intel’s firmware-based TPM as vulnerable but HPE products do not support Intel’s firmware-based TPM.
- Resources
- HPE Vulnerability Homepage
- HPESBHF03972 - HPE ProLiant, Synergy and Apollo Gen10 Server Platform Using TPM, Remote Disclosure of Information
- TPM FAIL
- Information on ST's TPM firmware update – ECDSA signature generation
- HPE Support Center
Usage Instructions and Definitions for CVE Vulnerability Information |
|
Data |
Definition |
Product Category |
High-level product description. |
Product Sub-Category |
Medium-level product description. |
Product Name |
Detailed product description. |
|
|
(Impacted) |
Indicates whether the specific product is affected by the cited vulnerability. |
|
|
If Impacted - Mitigation or |
Information regarding how to address a vulnerability. |
Under Investigation |
|
Link(s) to security bulletin (Vendor) |
Link to Vendor's Security Bulletin. |
Use the following table to find vulnerability information by entering the name of the product (e.g. ML350) in the search box.
Sub
Category |
Product
Name |
Impacted |
Mitigation
and Notes |
Customer
Bulletin (HPE) |
Security
Bulletin |
|
Servers |
Proliant |
DL360
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Proliant |
DL380
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Proliant |
DL560
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Proliant |
BL460c
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Synergy |
SY480
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Synergy |
SY660
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Apollo |
XL230k
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Proliant |
ML350
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Proliant |
ML110
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Proliant |
DL160
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Proliant |
DL180
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Proliant |
DL580
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Proliant |
DL120
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Proliant |
DL385
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Apollo |
XL170/190
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Apollo |
XL450
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Apollo |
XL270d
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Proliant |
DL325
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Apollo |
XL420
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Proliant |
DL20
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Servers |
Proliant |
ML30
Gen10 |
Yes |
Update
TPM firmware to version 73.20 |
||
Server |
Proliant |
ML10
Gen9 |
No |
Not
Impacted |
|
|
Server |
Proliant |
MicroServer Gen10 |
No |
Not
Impacted |
|
|
Storage |
Storage |
StoreOnce |
Yes |
Impacted
because Proliant Gen10 is affected. Refer to the
Gen10 platform mitigation |
||
Storage |
Storage |
StoreEasy |
Yes |
Impacted
because Proliant Gen10 is affected. Refer to the
Gen10 platform mitigation |
||
Servers |
Edgeline |
e910 |
Yes |
Update
TPM firmware to version 73.20 |
|
|
Servers |
Edgeline |
EL300 |
Yes |
Fix
under investigation |
|
|
Servers |
Cloudline |
CL2600 |
Under
Investigation |
Product
impact needs to be determined |
|
|
Servers |
Cloudline |
CL2800 |
Under
Investigation |
Product
impact needs to be determined |
|
|
Servers |
Synergy |
HPE Synergy 4-port Frame Link Module |
No |
The cryptographic services identified in this vulnerability are not utilized/accessed in this product |
|
|