BMC firmware weaknesses put popular servers at risk - updated

Security flaws identified by Eclypsium have since been mitigated by manufacturers

Weaknesses affecting baseboard management controller (BMC) firmware have put servers from Lenovo, Gigabyte and several other manufacturers at risk.

That's according to a new report by security firm Eclypsium, which explores the vulnerability of popular server systems to firmware attacks.

Researchers found two serious vulnerabilities in the firmware baseboard management controller of the Lenovo ThinkServer RD340 while completing an examination.

"This device is a dual-socket 1U Ivy Bridge generation server released in 2014 and has an ASPEED AST2300 for its BMC," warned the firm in a blog post.

"However, further investigation revealed that the vulnerable firmware was sourced as a third-party product called MergePoint EMS, made by Avocent (now Vertiv)."

What's concerning is that this vulnerable software has been used for other electronics, including "a large percentage" of Gigabyte enterprise servers.

Potentially putting other models at risks, Gigabyte provides motherboards for smaller system integrators that develop other devices.

The infected software was also used by several other vendors, such as Acer, AMAX, Bigtera, Ciara, Penguin Computing and sysGen.

During their analysis, researchers discovered two vulnerabilities affecting BMC firmware. Eclypsium said that the first means the "BMC firmware update process for MergePoint EMS does not perform cryptographic signature verification before accepting updates and writing the contents to SPI flash".

Meanwhile, the second is a command injection vulnerability affecting the code in the BMC responsible for performing firmware updates.

"Both of these issues allow an attacker running with administrative privileges on the host (such as through exploitation of a different host-based vulnerability) to run arbitrary code within the BMC as root and make persistent modifications to the BMC's SPI flash contents," explained Eclypsium.

"Malicious modifications to the BMC firmware can be used by an attacker to maintain persistence in the system and survive common incident response steps such as reinstallation of the operating system."

Eclypsium added that the attackers could even "modify the environment within the BMC to prevent any further firmware updates through software mechanisms, thus enabling an attacker to 'brick' (permanently disable) the BMC through software means".

It added that the "only option to fix the system is through physically re-flashing the SPI chip with a tool like a Dediprog or another SPI flash programmer".

Since learning of these vulnerabilities, Lenovo has released firmware updates to solve the command injection issue. Recent Gigabyte firmware has also been updated to solve the command injection vulnerability.

UPDATE 4th October 2019:

In a statement to Computing, BMC firmware provider Vertiv said: "As a leading provider of BMC firmware to the OEM community, Avocent began working with key customers as early as 2012, before it was common in the industry, to encrypt and provide verification that the software or firmware being updated was from a trusted source.

"In 2014, Avocent released a feature upgrade for the MergePoint EMS BMC firmware platform that included verification signing. During the past year, we were alerted to the command line concern and quickly developed and released a patch for our customers.

"We are not aware of any issues related to this, and it's important to note that the issue identified by the researcher could not have been used to penetrate a network or system. Only someone with access to the system could exploit it.

"We appreciate researchers bringing matters like this to our attention. It helps strengthen our products, and provides an opportunity to remind all consumers and businesses to regularly install software updates and patches to keep their systems current."