Gigabyte and Lenovo server solutions were under threat because of the bugs in the BMC firmware

It was reported this week that engineers at Gigabyte and Lenovo have published updated of firmware for their server motherboards.

Gigabyte, Lenovo and other vendors use the MergePoint EMS component as a BMC (Baseboard Management Controller) on their server motherboards.

The BMC is equipped with its own CPU, storage system and LAN interface, through which the remote administrator can connect and give the server or PC a command to perform certain operations (changing the OS settings, reinstalling the OS, updating drivers, and so on).

“In addition to building motherboards and servers under their own brand, Gigabyte also provides motherboards to smaller system integrators who then build complete systems under their own branding. This vulnerable firmware was included in servers from a variety of vendors including: Acer, AMAX, Bigtera, Ciara, Penguin Computing, sysGen. This highlights an important challenge for the industry”, — warned Eclypsium experts.

Additionally, Eclypsium reported that MergePoint EMS, firstly, does not use a cryptographically secure update process, so, an attacker who has already entered the system can easily replace the real BMC firmware with a malicious one. Secondly, because of one more bug in MergePoint EMS, it was possible to inject commands, which allowed execuing malicious code with elevated privileges.

Although the use of both vulnerabilities suggests that the attacker must pre-compromise the target machine and penetrate the system, the researchers warned that the problems are still extremely dangerous, as they can be used to introduce very stable backdoors that can “survive” even after OS reinstalling.

Read also: RingCentral and Zhumu video conferencing services have the same critical vulnerability as Zoom

Back in November 2018, Lenovo released firmware updates addressing these issues, but in fact, developers have eliminated only one vulnerability that allows command injections. The company does not plan to eliminate the second problem (with firmware updates), citing the fact that Lenovo began using MergePoint EMS as a BMC in 2014, when firmware updates with a cryptographic signature were not the industry standard, and such protection was simply not included in component design. Worse, the exact list of server products using vulnerable BMCs has not been made public.

Gigabyte, in turn, introduced updated firmware for its solutions in May, but the company also left without fixing the vulnerability associated with unsafe firmware updates. According to Eclypsium, Gigabyte developers have published patches only for motherboards that use the ASPEED AST2500 controller, but not for the ASPEED AST2400 controllers, although they also work with Vertiv Avocent MergePoint EMS.