News

Gigabyte and Lenovo server solutions were under threat because of the bugs in the BMC firmware

It was reported this week that engineers at Gigabyte and Lenovo have published updated of firmware for their server motherboards.

However, Eclypsium specialists discovered at once two serious vulnerabilities in the Vertiv Avocent MergePoint EMS BMC.

Gigabyte, Lenovo and other vendors use the MergePoint EMS component as a BMC (Baseboard Management Controller) on their server motherboards.

The BMC is equipped with its own CPU, storage system and LAN interface, through which the remote administrator can connect and give the server or PC a command to perform certain operations (changing the OS settings, reinstalling the OS, updating drivers, and so on).

“In addition to building motherboards and servers under their own brand, Gigabyte also provides motherboards to smaller system integrators who then build complete systems under their own branding. This vulnerable firmware was included in servers from a variety of vendors including: Acer, AMAX, Bigtera, Ciara, Penguin Computing, sysGen. This highlights an important challenge for the industry”, — warned Eclypsium experts.

Additionally, Eclypsium reported that MergePoint EMS, firstly, does not use a cryptographically secure update process, so, an attacker who has already entered the system can easily replace the real BMC firmware with a malicious one. Secondly, because of one more bug in MergePoint EMS, it was possible to inject commands, which allowed execuing malicious code with elevated privileges.

Although the use of both vulnerabilities suggests that the attacker must pre-compromise the target machine and penetrate the system, the researchers warned that the problems are still extremely dangerous, as they can be used to introduce very stable backdoors that can “survive” even after OS reinstalling.

Read also: RingCentral and Zhumu video conferencing services have the same critical vulnerability as Zoom

Back in November 2018, Lenovo released firmware updates addressing these issues, but in fact, developers have eliminated only one vulnerability that allows command injections. The company does not plan to eliminate the second problem (with firmware updates), citing the fact that Lenovo began using MergePoint EMS as a BMC in 2014, when firmware updates with a cryptographic signature were not the industry standard, and such protection was simply not included in component design. Worse, the exact list of server products using vulnerable BMCs has not been made public.

Gigabyte, in turn, introduced updated firmware for its solutions in May, but the company also left without fixing the vulnerability associated with unsafe firmware updates. According to Eclypsium, Gigabyte developers have published patches only for motherboards that use the ASPEED AST2500 controller, but not for the ASPEED AST2400 controllers, although they also work with Vertiv Avocent MergePoint EMS.

It is worth noting that at the end of June, Gigabyte representatives announced that the company is no longer supporting products with Vertiv Avocent MergePoint EMS firmware and is switching to AMI MegaRAC SP-X. Thus, Gigabyte customers will be able to protect themselves by switching to AMI MegaRAC SP-X when the new firmware is available.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button