August 13, 2019
Newly discovered weaknesses in a baseboard management control (BMC) firmware supplier put servers from eight different manufacturers at risk, according to research from Eclypsium. In a recently published report that analyzed BMC firmware, researchers found that the vendors were vulnerable to third-party weaknesses.
Supply chain risks continue to be the root cause of cyber-attacks, and major server manufacturers including Lenovo ThinkServer-branded servers, were reportedly left open to the potential of data loss and permanent damage to hardware through these vulnerabilities. The flaws also allowed attackers to persist despite new operating system installation.
examining a Lenovo ThinkServer RD340 we discovered two serious vulnerabilities
in the firmware of the baseboard management controller (BMC). This device is a
dual-socket 1U Ivy Bridge generation server released in 2014 and has an ASPEED
AST2300 for its BMC,” researchers wrote in a July 16 blog post.
“Further investigation revealed that the vulnerable firmware was sourced as a third-party product called MergePoint EMS, made by Avocent (now Vertiv). This same vulnerable firmware was used in other products as well, including a large percentage of Gigabyte’s line of Enterprise Servers (note that only Gigabyte servers based on Vertiv/Avocent BMCs are affected).”
Not only does Gigabyte build motherboards and servers, but it also provides motherboards to smaller system integrators in order for them to build complete systems under their own branding. Researchers identified the vulnerability in a variety of servers including Acer, AMAX, Bigtera, Ciara, Penguin Computing and sysGen.
Server firmware vulnerabilities are common and have been identified in global manufacturers. While these flaws can have a significant impact on enterprise IT infrastructure, what is more concerning the potential that a persistent attacker could exploit the vulnerability and gain access to the server, where they could remain undetected for an extended period of time.
“This highlights an important challenge for the industry. Most hardware vendors do not write their own firmware and instead rely on their supply chain partners. Firmware is quite commonly licensed from a third party and used with little modification, allowing vulnerabilities to extend to many different brands and products,” researchers wrote. “To adapt, manufacturers must thoroughly test any firmware they license for vulnerabilities. Likewise, enterprise security teams should perform security scans of device firmware as part of accepting any new piece of hardware.”
Lenovo recognized the researchers and thanked them upon releasing advisory and firmware updates that fix the command injection issue for affected platforms. Still, “Lenovo has advised that signed BMC firmware was not part of the design of this circa-2014 generation server and this weakness cannot be addressed. These systems will remain vulnerable until they are decommissioned and caution should be exercised to ensure they do not run untrusted code.”