Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Friday June 08 2018, @12:09PM   Printer-friendly [Skip to comment(s)]
from the not-so-super-it-seems dept.

Submitted via IRC for mechanicjay

We have already seen both proof-of-concept and in-the-wild demonstrations of attacks targeting system firmware such as SMM rootkits, device firmware replacement, and even usurping firmware-based features for malware. As part of our ongoing security research efforts, we recently reviewed various Supermicro systems and discovered serious firmware vulnerabilities. Such issues affect many models and have persisted for many years, which could be problematic since these systems are commonly used as data center servers. As other researchers have shown, Supermicro is not alone. Security vulnerabilities in firmware continue to be discovered regularly. Unfortunately, malicious activity at the firmware and hardware level is invisible to most detection and response mechanisms in use today, leaving many critical systems exposed to attacks that target this area.

These vulnerabilities are easily exploitable and provide malware with the same impact as having physical access to the kind of system that is usually stored in a secure data center. A physical attacker who can open the case could simply attach a hardware programmer to bypass protections. Using the attacks we have discovered, it is possible to scale powerful malware much more effectively through malicious software instead of physical access.

Source: Firmware Vulnerabilities in Supermicro Systems


Original Submission

Related Stories

Supermicro Says That an Audit Found No Evidence to Support Claims of Chinese Backdoors in Products 21 comments

Audit: No Chinese surveillance implants in Supermicro boards found

In a letter to customers issued December 11, Supermicro President and CEO Charles Liang and other top executives announced that an audit conducted by an outside investigating team had found no evidence of any malicious hardware incorporated into motherboards currently or previously manufactured by the company. The letter is the latest rebuttal to Bloomberg reports in October that claimed tiny chips that provided a backdoor for China's intelligence agencies had been integrated into boards provided to major Internet and cloud providers—a report also refuted by the companies the report claimed were targeted.

"After a thorough examination and a range of functional tests, the investigative firm found absolutely no evidence of malicious hardware on our motherboards," the letter signed by Liang, Supermicro Senior Vice President and Chief Compliance Officer David Weigland, and Senior VP and Chief Product Officer Raju Penumatcha stated.

Searching for site:soylentnews.org supermicro on Google brought up a Supermicro ad linking the CEO letter, with the link entitled "Supermicro Independent Testing | No Malicious Hardware‎". Do you believe them?

Previously: Chinese Spy Chips Allegedly Inserted Into Amazon, Apple, etc. Datacenters by Super Micro
Bloomberg Stands by Chinese Chip Story as Apple, Amazon Ratchet up Denials
Bloomberg Claims That a Major U.S. Telecom Operated a Server Backdoored by a Hidden Chip

Related: Apple Deleted Server Supplier After Finding Infected Firmware in Servers
Firmware Vulnerabilities in Supermicro Systems
Supermicro Announces Suspension of Trading of Common Stock on Nasdaq and its Intention to Appeal


Original Submission

Bloomberg Claims That a Major U.S. Telecom Operated a Server Backdoored by a Hidden Chip 20 comments

Major US telecom was infiltrated by backdoored Supermicro hardware, Bloomberg says

Five days after Bloomberg stunned the world with still-unconfirmed allegations that Chinese spies embedded data-sniffing chips in hardware used by Apple, Amazon, and dozens of other companies, the news organization is doubling down. Bloomberg is now reporting that a different factory-seeded manipulation from the previously described one was discovered in August inside the network of a major US telecommunications company.

Bloomberg didn't name the company, citing a non-disclosure agreement between the unnamed telecom and the security firm it hired to scan its data centers. AT&T, Sprint and T-Mobile all told Ars they weren't the telecom mentioned in the Bloomberg post. Verizon and CenturyLink also denied finding backdoored Supermicro hardware in their datacenters, Motherboard reported.

Tuesday's report cites documents, analysis, and other evidence provided by Yossi Appleboum, who is co-CEO of a hardware security firm called Sepio Systems. Bloomberg said that, while Sepio was scanning servers belonging to the unnamed telecom, the firm detected unusual communications from a server designed by Supermicro. Supermicro, according to last week's Bloomberg report, is the hardware manufacturer whose motherboards were modified in the factory to include a tiny microchip that caused attached servers to come under the control of a previously unreported division of China's People's Liberation Army. Supermicro told Bloomberg it had no knowledge of the implant, marking the second time the hardware maker has denied knowing anything about the reported manipulations.

[...] The criticism was still at full pitch on Tuesday morning when Bloomberg published its follow-up article. While it names a single source, some security experts quickly challenged the credibility of the report. "Sure this story has one named source but it technically makes even less sense than the first one," Cris Thomas, a security expert who tweets under the handle SpaceRogue, wrote. "Come on @Bloomberg get somebody who knows what they're talking about to write these stories. Calling BS on this one as well."

Previously: Chinese Spy Chips Allegedly Inserted Into Amazon, Apple, etc. Datacenters by Super Micro
Bloomberg Stands by Chinese Chip Story as Apple, Amazon Ratchet up Denials

Related: Firmware Vulnerabilities in Supermicro Systems
Supermicro Announces Suspension of Trading of Common Stock on Nasdaq and its Intention to Appeal


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by Runaway1956 on Friday June 08 2018, @02:42PM (1 child)

    by Runaway1956 (2926) Subscriber Badge on Friday June 08 2018, @02:42PM (#690335) Homepage Journal

    TFA specifically mentions "Intel based systems". Doesn't mention AMD at all. Doesn't mention Nvidia. It isn't clear whether I've dodged the bullet with this one - or all Supermicro systems are affected. Only three specific boards are mentioned, none of which are in the same family as my board. This is the kind of thing that makes a guy scratch his beard, and say things like, "Hmmmmm." Which always impresses the little kids . . .

    --
    Our first six presidents were educated men. Then, along came a Democrat.
  • (Score: 1, Informative) by Anonymous Coward on Friday June 08 2018, @03:59PM

    by Anonymous Coward on Friday June 08 2018, @03:59PM (#690371)

    It appears that Supermicro servers [soylentnews.org] were already discovered to have these types of vulnerabilities.

  • (Score: 1, Interesting) by Anonymous Coward on Friday June 08 2018, @05:41PM

    by Anonymous Coward on Friday June 08 2018, @05:41PM (#690417)

    Good security practice would be to set the least privilege required. In some cases, however, the descriptor itself is writable by software executing on the host processor. In this case, the mechanism doesn’t protect anything at all! Malware can simply modify the permissions and bypass any protection, potentially leaving firmware exposed.

    so ridiculous it seems malicious.

    In general, the flash descriptor region should be “immutable” once the system completes the manufacturing process and is ready for production use.

    i would think there could be a secure way to let the buyer control this, but hey why not just flash some insecure shit and then lock it down(or don't, i guess). that's Intel's motto, right?

    This manual analysis uncovered that Supermicro X9DRi-LN4F+, X10SLM-F and X11SSM-F systems did not securely authenticate firmware updates. We confirmed this result by intentionally modifying the binary in official Supermicro firmware images and observing that the system firmware still accepted and installed the modified package. We were able to download a standard firmware update, change the code to one of the modules, and successfully apply it to systems using the standard update tools.

    people pay good money for supermicro with the expectation of quality. there's no excuse for the above incompetence/sabotage. if i had bought any of their expensive shit i would be pissed.

    We contacted Supermicro in January of this year to report these vulnerabilities and recommend that they implement industry standard practices to cryptographically authenticate firmware updates and implement anti-rollback for security fixes.

    hmm, it's hard to tell from glancing at supermicro's hilarious cold fusion based website when it's released firmware to address this nonsense. i'm just glad their firmware team is as high caliber as the web dev team.

  • (Score: 0) by Anonymous Coward on Saturday June 09 2018, @12:52PM

    by Anonymous Coward on Saturday June 09 2018, @12:52PM (#690769)

    Why can't they be on the communities side for once and do some good in the world

(1)