American Megatrends Incorporated (AMI) Affected

Notified:  July 22, 2014 Updated: August 01, 2014

Status

Affected

Vendor Statement

AMI has addressed the issue on a generic basis and is working with OEMs to implement fixes for projects in the field and production. End users should contact their board manufacturer for information on when a specific updated BIOS will be available.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Inc. Affected

Notified:  July 22, 2014 Updated: October 22, 2015

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Dell Computer Corporation, Inc. Affected

Notified:  July 22, 2014 Updated: October 28, 2014

Status

Affected

Vendor Statement

The security of our systems and customer information is a top priority for Dell. Dell is aware of the recent security concerns that MITRE published, and is reviewing these claims against our products. Dell will take appropriate action to resolve any security related issues found on our products and provide updates to our customers. The vulnerability outlined by MITRE is not a Dell specific issue, but instead is a larger industry issue. An exploit of this vulnerability would have to be executed on a UEFI installed OS and executed under administrative privileges with driver-level access. Dell recommends that our customers use best security practices and lock down system admin modes as a standard part of their security process. BIOS Details Client Solutions (CS) commercial platforms do not use the UEFI code described in the MITRE vulnerability report during any BIOS or firmware update. The code exists in some client systems in a dormant state and may be discovered through binary analysis. Updated BIOS code has been developed to further quarantine this code during the boot process to mitigate any potential for indirect exploit. A list of BIOS update patches is included below for planning purposes and BIOS revisions are included (subject to change): Dell System BIOS Update Release Planned Latitude 13 (3340) A03 Oct-14 Latitude 6430U A09 Oct-14 Latitude E5440/E5540 A09 Nov-14 Latitude E5530/E5430 A15 Oct-14 Latitude E6230/E6330/E6430S A14 Oct-14 Latitude E6530 A16 Oct-14 Latitude E6430 A16 Oct-14 Latitude E6440 A09 Nov-14 Latitude E6540 A12 Nov-14 Latitude E7240/E7440 A12 Nov-14 OptiPlex 3010 A13 Nov-14 OptiPlex 3011 AIO A06 Oct-14 OptiPlex 3020 A05 Oct-14 OptiPlex 7010/9010 A19 Oct-14 OptiPlex 7020/9020 A08 Oct-14 OptiPlex 9010 AIO A16 Oct-14 OptiPlex 9020 AIO A09 Oct-14 Precision Mobile Workstation M4700 A13 Oct-14 Precision Mobile Workstation M6700 A14 Oct-14 Precision Workstation R7610 A08 Nov-14 Precision Workstation T1650 A18 Nov-14 Precision Workstation T1700 A11 Oct-14 Precision Workstation T3610/T5610/T7610 A09 Nov-14 Precision Workstation M6800/M4800 A11 Nov-14 PowerEdge Server T20 A06 Nov-14 Venue 11 Pro (5130-32Bit) A09 Oct-14 Venue 11 Pro (5130-64Bit) A02 Oct-14 Venue 11 Pro (7130/7139) A13 Oct-14 Venue 8 Pro (5830) A09 Oct-14

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Affected

Notified:  July 09, 2014 Updated: August 12, 2014

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Hewlett-Packard has released a list of affected systems.

IBM Corporation Not Affected

Notified:  July 22, 2014 Updated: July 28, 2015

Statement Date:   October 30, 2014

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Insyde Software Corporation Not Affected

Notified:  July 22, 2014 Updated: February 03, 2015

Status

Not Affected

Vendor Statement

"Insyde has reviewed the Insyde BIOS code and believes that our Capsule Update implementation is not affected by this vulnerability. However some customers might have enabled the TianoCore implementation of Capsule Update. For this reason, Insyde did update to the latest available TianoCore implementation of Capsule Update. OEM and ODM customers are advised to contact their Insyde support representative for documentation and assistance. End users are advised to contact the manufacturer of their equipment."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation Not Affected

Notified:  December 03, 2013 Updated: September 19, 2014

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lenovo Affected

Notified:  July 22, 2014 Updated: October 02, 2014

Status

Affected

Vendor Statement

Lenovo advises customers to view their advisory for more details.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

NEC Corporation Unknown

Notified:  July 22, 2014 Updated: July 22, 2014

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    Phoenix Technologies Ltd. Affected

    Notified:  July 22, 2014 Updated: October 28, 2014

    Status

    Affected

    Vendor Statement

    "These issues affected our currently shipping SCT3 products and were fixed as of May 23, 2014, and the updates were promptly provided to our customers. We verified that our new SCT4 product is not affected by these issues."

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Sony Corporation Unknown

    Notified:  July 22, 2014 Updated: July 22, 2014

    Status

    Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Toshiba Unknown

      Notified:  July 22, 2014 Updated: July 22, 2014

      Status

      Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        View all 12 vendors View less vendors