Gigabyte and Lenovo servers impacted by common BMC firmware flaws

Two different bugs, EOLs, and a complex supply chain make patching a nightmare.

motherboard

Gigabyte and Lenovo have published firmware updates for some of their server-dedicated motherboards.

Affected products used a firmware component named MergePoint EMS, made and supplied by Avocent, a software provider now a wholly-owned subsidiary of data center equipment and service provider Vertiv.

Both Gigabyte and Lenovo deployed the MergePoint EMS component as the baseboard management controller (BMC) firmware that shipped with some of their server-line motherboards.

BMCs are components part of the larger Intelligent Platform Management Interface (IPMI). IPMI is a collection of tools usually found on servers and workstations deployed on enterprise networks that allow sysadmins to manage systems from remote locations.

The BMC is a component that contains its own CPU, storage system, and LAN interface that allows a remote admin to connect to or send instructions to the PC/server to perform various operations, such as modify OS settings, reinstall the OS, or update drivers.

Two flaws in the MergePoint EMS firmware

In a report published on Tuesday, July 16, security researchers from Eclypsium published details about two vulnerabilities in the Vertiv Avocent MergePoint EMS BMC firmware.

The first is that the component lacks a cryptographically secure update process, meaning any attacker with a foothold on an infected device can overwrite the BMC firmware with their own malicious version.

Second, the MergePoint EMS component contains a command injection vulnerability that allows an attacker to run malicious code with the highest privileges on a host running the vulnerable MergePoint EMS BMC firmware.

Both vulnerabilities require that an attacker has access or has already compromised an infected host. This means the two vulnerabilities can't be used to break into and take over remote servers.

However, they can be used to establish extremely persistent backdoors that can survive even OS reinstalls.

Lenovo patches

To address these two security flaws discovered in the MergePoint EMS component, Lenovo has released firmware updates in November 2018. Impacted products include several Lenovo ThinkServer models, listed in the Lenovo security advisory.

However, the patches only address the command injection vulnerability, but not the first, which allowed non-verified firmware updates.

Lenovo told Eclypsium they don't intend to patch the first, citing that in 2014, when they first started deploying the MergePoint EMS component as the firmware for their servers' BMC, cryptographically-signed firmware updates were not an industry standard, and this protection was not included in the component's design.

The company said it does not plan to address this issue, and will let impacted products reach end of life. The company did not publish an exact list of server-line products that are using an insecure BMC firmware update process.

Gigabyte patches

Similarly, Gigabyte also published firmware updates in May, but the company did not release an official advisory with information for its customers.

Just like Lenovo, Gigabyte patched only the second flaw (command injection), and not the first.

Eclypsium said Gigabyte released firmware updates only for motherboards that use the ASPEED AST2500 controller as their BMC's hardware. No updates were provided for server motherboards that used the ASPEED AST2400 controller.

Both AST2500 and AST2400 used the Vertiv Avocent MergePoint EMS for the BMC firmware.

Gigabyte switches to AMI-based BMC firmware

In late June, Gigabyte also announced that it was ending support for products running Vertiv Avocent MergePoint EMS firmware, and switching to the AMI MegaRAC SP-X firmware platform instead.

The company began releasing server motherboard firmware updates to replace the BMC firmware with the new AMI MegaRAC SP-X.

Gigabyte's decision came after Vertiv itself announced on April 1, 2019, that it was ending support for the MergePoint EMS firmware platform.

So, basically, Gigabyte customers can protect themselves by installing the new AMI-based firmware, when available.

The Gigabyte supply-chain problem

However, things are not that simple. Eclypsium also pointed out that Gigabyte also provides some of its server motherboards to third-party system integrators, who build custom server products under their own brands.

Now, Eclypsium fears that several servers sold by Acer, AMAX, Bigtera, Ciara, Penguin Computing, and sysGen may also contain the same MergePoint EMS firmware flaws due to their Gigabyte roots.

Gigabyte could not be reached over the phone for more information about which third-party companies used its server motherboards as part of their supply chain, if the companies use any vulnerable motherboards, or if those companies have been notified about the security issues reported by Eclypsium.

The situation is a little bit gray right now for some device owners, as they'll have to dig deep into their server's hardware and check what BMC controller and what firmware they're running, and then search for firmware updates, if they exist for their products.

Eclypsium said Vertiv never responded to its communications in regards to the security flaws. ZDNet reached out for comment before this article's publication.

"We are aware of the reports regarding some older versions of our products," a Vertiv spokesperson told us in an email. "We are evaluating the matter and will determine if any actions should be taken. We will be able to share more information as soon as we complete our evaluation."

Article updated on July 18, at 4:15am ET, with comment from a Vertiv spokesperson.

More vulnerability reports: