SoylentNews

Malware Can Bury Deep Inside Lenovo or Gigabyte Servers' Baseboard Management Controller

posted by Fnord666 on Thursday July 18 2019, @07:51AM   
from the digging-in-deep dept.

Arthur T Knackerbracket has found the following story:

A pair of vulnerabilities in BMC firmware used in servers built by Lenovo – and in Acer and Penguin Computing boxes using Gigabyte server motherboards – can be exploited to hide malware deep below the operating system, hypervisor, and antivirus.

Said spyware could lurk out of sight and undetected by the OS, security tools, administrators, and users; could potentially snoop on and tamper with software and data on the machine; and persist in the motherboard's flash chips allowing it to survive wipes or replacements of storage drives.

Researchers at US-based Eclypsium on Tuesday detailed the flaws: they can be exploited by a malicious logged-in user, or malware, with admin credentials to inject surveillanceware into the system's firmware.

Obviously, if someone or something awful has admin or root-level access to your server kit, it's already pretty much game over for you, though that's not the point here: these bugs can be abused by someone who has already owned your kit to bury deeper, potentially avoiding detection and persisting across reboots and drive wipes.

To hear Eclypsium tell it, the vulnerabilities specifically lie within Vertiv's MergePoint EMS baseboard management controller (BMC) firmware, which is sold to Lenovo for use in its server products, and Gigabyte to use in motherboards sold to Acer, Ciara, Penguin Computing, sysGen, Bigtera, and AMAX, again for use in server products.

The flaws were discovered in Vertiv's code by Eclypsium, reported to Lenovo in July 2018, and first patched in November that year. The holes were found again in BMC firmware on Gigabyte server mobos in March of this year, and traced back to Vertiv, formerly known as Avocent, in April. Now, with the vendors having had ample time to address the coding blunders, Eclypsium is going public.

---

Original Submission

• A fine, friendly, US company A fine, friendly, US company (Score: 4, Funny) by c0lo on Thursday July 18 2019, @08:27AM (2 children)

  by c0lo (156) on Thursday July 18 2019, @08:27AM (#868412) Journal

  Avocent [wikipedia.org]

  Avocent, a business of Vertiv, is an information-technology products manufacturer headquartered in Huntsville, Alabama. Avocent formed in 2000 from the merger of the world's two largest manufacturers of KVM (keyboard, video and mouse) equipment: Apex and Cybex Computer Products Corporation. As of August 2006, the company employed more than 1,800 people worldwide.

  Unlike Huawei, that's a friendly US company, headquartered in the patriotic Alabama.
  Nothing to fear, folks.

  (grin)

  --
  https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford

  Starting Score:	1		point
  Moderation		+2
  Insightful=1, Funny=1, Total=2
  Extra 'Funny' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		4

• Re:A fine, friendly, US company Re:A fine, friendly, US company (Score: 0) by Anonymous Coward on Thursday July 18 2019, @09:58AM (1 child)

  by Anonymous Coward on Thursday July 18 2019, @09:58AM (#868428)

  Many citizens of the USA have a heavy self-identification problem. They identify themselves with so called state, which actually they, clearly, are not.

  Parent

  • Re:A fine, friendly, US company (Score: 0, Disagree) by Anonymous Coward on Thursday July 18 2019, @08:41PM

    by Anonymous Coward on Thursday July 18 2019, @08:41PM (#868674)

    This is more a feature of the state than a bug in the citizens. As long as they perceive themselves to be the state, every criticism directed at the state will trigger a knee-jerk emotional defensive response, thereby keeping the state in power.

    Or as Yoda would say, the state runs deep in these ones.

    Parent