Firmware Bugs Plague Server Supply Chain, 7 Vendors Impacted

bmc server firmware bugs gigabyte lenovo

Lenovo, Acer and five additional server manufacturers are hit with supply-chain bugs buried in motherboard firmware.

Two firmware vulnerabilities impacting Lenovo, Acer and five additional server brands allow adversaries to brick servers, run arbitrary code on targeted systems and maintain a persistent foothold – surviving even an operating system reinstallation.

The bugs are tied to Gigabyte motherboards used in the vulnerable servers. The culprit is firmware for a motherboard component called a Baseboard Management Controller (BMC), which is used for subsystem management and monitoring. Server-makers using the vulnerable BMC firmware are Lenovo, Acer, AMAX, Bigtera, Ciara, Penguin Computing and sysGen.

The common thread connecting each of the server brands is the use of two specific motherboard SKUs made by Gigabyte, according to researchers at Eclypsium who first identified the bugs and publicly disclosed their findings Tuesday.

Both of these use  third-party firmware in the BMC called MergePoint EMS, made by a firm called Vertiv. Researchers said only Gigabyte servers based on Vertiv BMCs are affected. Gigabyte is a leading motherboard-maker who supplies enterprise server-makers, such as Lenovo, and a host of smaller system integrators.

“This highlights an important challenge for the industry. Most hardware vendors do not write their own firmware and instead rely on their supply-chain partners,” researchers wrote.

Breaking Down the Bugs

The first of the two vulnerabilities needed to carry out an attack is a lack of authentication within the BMC firmware. “The BMC firmware update process for MergePoint EMS does not perform cryptographic signature verification before accepting updates and writing the contents to SPI flash,” they wrote.

SPI stands for Serial Peripheral Interface, and it is used to communicate with motherboard-based serial flash devices.

The second bug is a command-injection bug. In this context, the code in the BMC that performs the firmware update process itself contains the command-injection vulnerability.

“Both of these issues allow an attacker running with administrative privileges on the host (such as through exploitation of a different host-based vulnerability) to run arbitrary code within the BMC as root and make persistent modifications to the BMC’s SPI flash contents,” according to researchers.

In this respect, the flaws would require advanced work by an adversary. However, once in, the stealth and persistent nature of the flaw allows for an attacker to hide on a system’s flash chips. Neither a software upgrade or swapping out local storage would mitigate the attack vector.

The potential destructive nature of an attack, leveraging the duo of bugs, have researchers particularly worried given a recent spate of “wiper” malware attacks.

Shamoon, BlackEnergy, NotPetya, KillDisk, TRISIS and VPNFilter have become so disruptive they even raised alarm at the Department of Homeland Security, which recently warned of a likely surge in these attacks on enterprise and critical infrastructure. As attackers and nation-states target higher-value assets, BMC and other firmware inside critical servers provide a particularly strategic target, as they can be used to irrevocably ‘brick’ the server and its contents,” they said.

Mitigation efforts by Gigabyte have included a patch, deployed May 8, to address the command-injection vulnerability on motherboards using the AST2500 BMC hardware and firmware implementation. The AST2400 firmware version remains unpatched as of June 21, Eclypsium noted. The motherboard-maker has not yet released an advisory for the issue.

According to the disclosure timeline, Lenovo was notified of the bug in July 2018 and in November of the same year made a patch available to customers. In March, Gigabyte was alerted to both BMC firmware vulnerabilities, and in May silently issued a patch for one (AST2500) of the two flaws.

Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More

Suggested articles