A nightmare can be flipped by two different bugs, EOLs and a complex supply chain.
For certain of their server-dedicated motherboards, Gigabyte and Lenovo published firmware updates.
In the case of affected products, Avocent, a wholly owned subsidiary of data center equipment and the service provider Vertiv, used a firmware element named MergePoint EMS.
The MergePoint EMS component was used by both Gigabyte and Lenovo, which was supplied to certain server line motherboards by baseboard management controller (BMC).
BMCs are part of the larger Smart Platform Administrative Interface (IPMI). IPMI is a collection of tools commonly found on servers and workstations on corporate networks that allow sysadmins to run systems remotely.
The BMC is a component that includes its own CPU, storage, and LAN interface, allowing a remote admin to connect or send instructions for various operations to the PC / server including changing the OS settings, reinstalling the OS or updating drivers.
Eclypsium security researchers published details of two faults in Vertiv Avocent MergePoint EMS BMC firmware in a report published on Tuesday 16 July 2013.
Firstly, the part lacks a cryptographically secure update process, so that a BMC firmware can be overwritten by any an attacker with an infectious device foothold.
Second, there is command injection vulnerability in the MergePoint EMS component, allowing an attacker to run malicious code on a hosts running vulnerable MergePoint EMS BMC firmware, with the highest privileges.
An attacker has access or an infected host has already compromise on both vulnerabilities. This means that both vulnerabilities cannot be used for remote servers.
They can however be used to create extremely long-lasting backdoors that can even reinstall OS.
In November 2018, Lenovo released firmware updates to address these two security flaws identified by the MergePoint EMS component. Several Lenovo ThinkServer models in security advisory Lenovo are included in the products affected.
The patches only address the vulnerability to the command injection, but not the first, allowing non-verified firmware updates.
In 2014, when the EMS component started being deployed for the first time as the firmware of the BMC of their Servers, crypto-signed firmware updates were not an industry standard and that protection had not been included in the component design, Lenovo said Eclypsium was not intended to patch the first one. Lenovo stated
The company has said it will not address this issue and will allow the products affected to become end-of-life. There was no exact list of server line products which use an unsecured BMC firmware updated process published by the company.
Similarly, released firmware updates in May, but no official advertisement was made available to Gigabyte with customer information.
Like Lenovo, Gigabyte only spotted the second flaw, and not the first.
Eclypsium stated that Gigabyte published firmware updates only for motherboards using their BMC hardware ASPEED AST2500 controller. There were no updates for the ASPEED AST2400 controller server motherboards.
The Vertiv Avocent MergePoint EMS was used by AST2500 and AST2400 for both BMC firmwares.
GIGABYTE SWITCHES TO AMI-BASED BMC FIRMWARE
Late in June, Gigabyte also announced that support for Vertiv Avocent MergePoint EMS firmware products was ended and that it was switched over to the AMI MegaRAC SP-X firmware platform.
In order to replace the BMC firmware with the new AMI MegaRAC SP-X, it started releasing server motherboard firmware updates.
On the first of April 2019 Gigabyte decided that it would end support for the MergePoint EMS firmware platform after Vertiv itself announced itself.
Basically, customers from Gigabyte can protect themselves if available by installing the new AMI-based firmware.
However, things aren’t that simple. Eclypsium also pointed out that Gigabyte offers its third-party system integrators some of our server motherboards, which build their own branded custom server products.
Eclypsium now fears that several Acer servers selling the same firmware flaws due to their Gigabyte roots may contain the same MergePoint EMS.
You could not reach Gigabyte by phone if companies use vulnerable motherboards or if these companies are notified of security problems reporting Eclypsium, if they use third-parties ‘ motherboards as part of their supply chain.
For some device owners the situation now is a little gray, as they must dig in the hardware of their servers, check what BMC controllers they use and what firmware they use, and then search for firmware updates, if they are available for their products.
Eclypsium has said that Vertiv never reacted to its safety deficiencies communications.