Submitted via IRC for mechanicjay
We have already seen both proof-of-concept and in-the-wild demonstrations of attacks targeting system firmware such as SMM rootkits, device firmware replacement, and even usurping firmware-based features for malware. As part of our ongoing security research efforts, we recently reviewed various Supermicro systems and discovered serious firmware vulnerabilities. Such issues affect many models and have persisted for many years, which could be problematic since these systems are commonly used as data center servers. As other researchers have shown, Supermicro is not alone. Security vulnerabilities in firmware continue to be discovered regularly. Unfortunately, malicious activity at the firmware and hardware level is invisible to most detection and response mechanisms in use today, leaving many critical systems exposed to attacks that target this area.
These vulnerabilities are easily exploitable and provide malware with the same impact as having physical access to the kind of system that is usually stored in a secure data center. A physical attacker who can open the case could simply attach a hardware programmer to bypass protections. Using the attacks we have discovered, it is possible to scale powerful malware much more effectively through malicious software instead of physical access.
Source: Firmware Vulnerabilities in Supermicro Systems
(Score: 2) by Runaway1956 on Friday June 08 2018, @02:42PM (1 child)
TFA specifically mentions "Intel based systems". Doesn't mention AMD at all. Doesn't mention Nvidia. It isn't clear whether I've dodged the bullet with this one - or all Supermicro systems are affected. Only three specific boards are mentioned, none of which are in the same family as my board. This is the kind of thing that makes a guy scratch his beard, and say things like, "Hmmmmm." Which always impresses the little kids . . .
(Score: 5, Informative) by RS3 on Friday June 08 2018, @03:57PM
TFA suggests you get and run "CHIPSEC framework" https://github.com/chipsec/chipsec [github.com] to test for the vulnerability. I would try it on _any_ system, just in case...
This article lists SuperMicro models affected: https://www.bleepingcomputer.com/news/security/firmware-vulnerabilities-disclosed-in-supermicro-server-products/ [bleepingcomputer.com]
And SuperMicro themselves: https://www.supermicro.com/support/security_Intel-SA-00088.cfm [supermicro.com]
(Score: 1, Informative) by Anonymous Coward on Friday June 08 2018, @03:59PM
It appears that Supermicro servers [soylentnews.org] were already discovered to have these types of vulnerabilities.
(Score: 1, Interesting) by Anonymous Coward on Friday June 08 2018, @05:41PM
so ridiculous it seems malicious.
i would think there could be a secure way to let the buyer control this, but hey why not just flash some insecure shit and then lock it down(or don't, i guess). that's Intel's motto, right?
people pay good money for supermicro with the expectation of quality. there's no excuse for the above incompetence/sabotage. if i had bought any of their expensive shit i would be pissed.
hmm, it's hard to tell from glancing at supermicro's hilarious cold fusion based website when it's released firmware to address this nonsense. i'm just glad their firmware team is as high caliber as the web dev team.
(Score: 0) by Anonymous Coward on Saturday June 09 2018, @12:52PM
Why can't they be on the communities side for once and do some good in the world