Researchers at firmware security company Eclypsium discovered that the baseboard management controller (BMC) shipped with some servers from Lenovo, Gigabyte and other vendors contains some potentially serious vulnerabilities.
The BMC is a small computer present on a majority of server motherboards. A component of the Intelligent Platform Management Interface (IPMI), it allows administrators to remotely control and monitor a server without having to access the operating system or applications running on it. Admins can use the BMC to reboot a device, install an operating system, update the firmware, monitor system parameters, and analyze logs.
While the capabilities provided by the BMC can be highly useful, the system also introduces security risks, with several attacks demonstrated in the past by experts.
Eclypsium researchers discovered flaws in the BMC firmware while analyzing a Lenovo ThinkServer RD340 server. Further analysis revealed that the vulnerable firmware was sourced as a third-party product called MergePoint EMS, made by Vertiv (formerly Avocent), which is also used by many Gigabyte Enterprise Servers.
The vulnerabilities also made their way into firmware present on motherboards provided by Gigabyte to other companies for their own servers, including Acer, Amax, Bigtera, Ciara, Penguin Computing and sysGen.
“This highlights an important challenge for the industry. Most hardware vendors do not write their own firmware and instead rely on their supply chain partners,” Eclypsium explained. “Firmware is quite commonly licensed from a third party and used with little modification, allowing vulnerabilities to extend to many different brands and products. To adapt, manufacturers must thoroughly test any firmware they license for vulnerabilities. Likewise, enterprise securi ..
Support the originator by clicking the read the rest link below.
