News

Gigabyte and Lenovo server solutions were under threat because of the bugs in the BMC firmware

It was reported this week that engineers at Gigabyte and Lenovo have published updated of firmware for their server motherboards.

However, Eclypsium specialists discovered at once two serious vulnerabilities in the Vertiv Avocent MergePoint EMS BMC.

Gigabyte, Lenovo and other vendors use the MergePoint EMS component as a BMC (Baseboard Management Controller) on their server motherboards.

The BMC is equipped with its own CPU, storage system and LAN interface, through which the remote administrator can connect and give the server or PC a command to perform certain operations (changing the OS settings, reinstalling the OS, updating drivers, and so on).

“In addition to building motherboards and servers under their own brand, Gigabyte also provides motherboards to smaller system integrators who then build complete systems under their own branding. This vulnerable firmware was included in servers from a variety of vendors including: Acer, AMAX, Bigtera, Ciara, Penguin Computing, sysGen. This highlights an important challenge for the industry”, — warned Eclypsium experts.

Additionally, Eclypsium reported that MergePoint EMS, firstly, does not use a cryptographically secure update process, so, an attacker who has already entered the system can easily replace the real BMC firmware with a malicious one. Secondly, because of one more bug in MergePoint EMS, it was possible to inject commands, which allowed execuing malicious code with elevated privileges.

Although the use of both vulnerabilities suggests that the attacker must pre-compromise the target machine and penetrate the system, the researchers warned that the problems are still extremely dangerous, as they can be used to introduce very stable backdoors that can “survive” even after OS reinstalling.

Read also: RingCentral and Zhumu video conferencing services have the same critical vulnerability as Zoom

Back in November 2018, Lenovo released firmware updates addressing these issues, but in fact, developers have eliminated only one vulnerability that allows command injections. The company does not plan to eliminate the second problem (with firmware updates), citing the fact that Lenovo began using MergePoint EMS as a BMC in 2014, when firmware updates with a cryptographic signature were not the industry standard, and such protection was simply not included in component design. Worse, the exact list of server products using vulnerable BMCs has not been made public.

Gigabyte, in turn, introduced updated firmware for its solutions in May, but the company also left without fixing the vulnerability associated with unsafe firmware updates. According to Eclypsium, Gigabyte developers have published patches only for motherboards that use the ASPEED AST2500 controller, but not for the ASPEED AST2400 controllers, although they also work with Vertiv Avocent MergePoint EMS.

It is worth noting that at the end of June, Gigabyte representatives announced that the company is no longer supporting products with Vertiv Avocent MergePoint EMS firmware and is switching to AMI MegaRAC SP-X. Thus, Gigabyte customers will be able to protect themselves by switching to AMI MegaRAC SP-X when the new firmware is available.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove Kurlibat.xyz pop-up ads (Virus Removal Guide)

Kurlibat.xyz is a site that tries to trick you into clik to its browser notifications…

14 hours ago

Remove Initiateintenselyrenewedthe-file.top pop-up ads (Virus Removal Guide)

Initiateintenselyrenewedthe-file.top is a domain that tries to trick you into clik to its browser notifications…

14 hours ago

Remove Wotigorn.xyz pop-up ads (Virus Removal Guide)

Wotigorn.xyz is a site that tries to force you into subscribing to its browser notifications…

14 hours ago

Remove Initiateintenselyprogressivethe-file.top pop-up ads (Virus Removal Guide)

Initiateintenselyprogressivethe-file.top is a domain that tries to force you into clik to its browser notifications…

14 hours ago

Remove Nuesobatoxylors.co.in pop-up ads (Virus Removal Guide)

Nuesobatoxylors.co.in is a domain that tries to trick you into subscribing to its browser notifications…

18 hours ago

Remove Helistym.xyz pop-up ads (Virus Removal Guide)

Helistym.xyz is a site that tries to force you into clik to its browser notifications…

18 hours ago