A pair of vulnerabilities in BMC firmware used in servers built by Lenovo – and in Acer and Penguin Computing boxes using Gigabyte server motherboards – can be exploited to hide malware deep below the operating system, hypervisor, and antivirus.
Said spyware could lurk out of sight and undetected by the OS, security tools, administrators, and users; could potentially snoop on and tamper with software and data on the machine; and persist in the motherboard's flash chips allowing it to survive wipes or replacements of storage drives.
Researchers at US-based Eclypsium on Tuesday detailed the flaws: they can be exploited by a malicious logged-in user, or malware, with admin credentials to inject surveillanceware into the system's firmware.
Obviously, if someone or something awful has admin or root-level access to your server kit, it's already pretty much game over for you, though that's not the point here: these bugs can be abused by someone who has already owned your kit to bury deeper, potentially avoiding detection and persisting across reboots and drive wipes.
To hear Eclypsium tell it, the vulnerabilities specifically lie within Vertiv's MergePoint EMS baseboard management controller (BMC) firmware, which is sold to Lenovo for use in its server products, and Gigabyte to use in motherboards sold to Acer, Ciara, Penguin Computing, sysGen, Bigtera, and AMAX, again for use in server products.
The flaws were discovered in Vertiv's code by Eclypsium, reported to Lenovo in July 2018, and first patched in November that year. The holes were found again in BMC firmware on Gigabyte server mobos in March of this year, and traced back to Vertiv, formerly known as Avocent, in April. Now, with the vendors having had ample time to address the coding blunders, Eclypsium is going public.
(Score: 0) by Anonymous Coward on Thursday July 18 2019, @01:08PM
OpenBMC [github.com] is the way to go.