Gigabyte and Lenovo have published firmware updates for some of their server-dedicated motherboards.
Affected products used a firmware component named MergePoint EMS, made and supplied by Avocent, a software provider now a wholly-owned subsidiary of data center equipment and service provider Vertiv.
Both Gigabyte and Lenovo deployed the MergePoint EMS component as the baseboard management controller (BMC) firmware that shipped with some of their server-line motherboards.
BMCs are components part of the larger Intelligent Platform Management Interface (IPMI). IPMI is a collection of tools usually found on servers and workstations deployed on enterprise networks that allow sysadmins to manage systems from remote locations.
The BMC is a component that contains its own CPU, storage system, and LAN interface that allows a remote admin to connect to or send instructions to the PC/server to perform various operations, such as modify OS settings, reinstall the OS, or update drivers.
Two flaws in the MergePoint EMS firmware
In a report published on Tuesday, July 16, security researchers from Eclypsium published details about two vulnerabilities in the Vertiv Avocent MergePoint EMS BMC firmware.
The first is that the component lacks a cryptographically secure update process, meaning any attacker with a foothold on an infected device can overwrite the BMC firmware with their own malicious version.
Second, the MergePoint EMS component contains a command injection vulnerability that allows an attacker to run malicious code with the highest privileges on a host running the vulnerable MergePoint EMS BMC firmware.
Both vulnerabilities require that an attacker has access or has already compromised an infected host. This means the two vulnerabilities can't be used to break into and take over remote servers.
However, they can be used to establish extremely persistent backdoors that can survive even OS reinstalls.
To address these two security flaws discovered in the MergePoint EMS component, Lenovo has released firmware updates in November 2018. Impacted products include several Lenovo ThinkServer models, listed in the Lenovo security advisory.
However, the patches only address the command injection vulnerability, but not the first, which allowed non-verified firmware updates.
Lenovo told Eclypsium they don't intend to patch the first, citing that in 2014, when they first started deploying the MergePoint EMS component as the firmware for their servers' BMC, cryptographically-signed firmware updates were not an industry standard, and this protection was not included in the component's design.
The company said it does not plan to address this issue, and will let impacted products reach end of life. The company did not publish an exact list of server-line products that are using an insecure BMC firmware update process.
Similarly, Gigabyte also published firmware updates in May, but the company did not release an official advisory with information for its customers.
Just like Lenovo, Gigabyte patched only the second flaw (command injection), and not the first.
Eclypsium said Gigabyte released firmware updates only for motherboards that use the ASPEED AST2500 controller as their BMC's hardware. No updates were provided for server motherboards that used the ASPEED AST2400 controller.
Both AST2500 and AST2400 used the Vertiv Avocent MergePoint EMS for the BMC firmware.
Gigabyte switches to AMI-based BMC firmware
In late June, Gigabyte also announced that it was ending support for products running Vertiv Avocent MergePoint EMS firmware, and switching to the AMI MegaRAC SP-X firmware platform instead.
The company began releasing server motherboard firmware updates to replace the BMC firmware with the new AMI MegaRAC SP-X.
Gigabyte's decision came after Vertiv itself announced on April 1, 2019, that it was ending support for the MergePoint EMS firmware platform.
So, basically, Gigabyte customers can protect themselves by installing the new AMI-based firmware, when available.
The Gigabyte supply-chain problem
However, things are not that simple. Eclypsium also pointed out that Gigabyte also provides some of its server motherboards to third-party system integrators, who build custom server products under their own brands.
Now, Eclypsium fears that several servers sold by Acer, AMAX, Bigtera, Ciara, Penguin Computing, and sysGen may also contain the same MergePoint EMS firmware flaws due to their Gigabyte roots.
Gigabyte could not be reached over the phone for more information about which third-party companies used its server motherboards as part of their supply chain, if the companies use any vulnerable motherboards, or if those companies have been notified about the security issues reported by Eclypsium.
The situation is a little bit gray right now for some device owners, as they'll have to dig deep into their server's hardware and check what BMC controller and what firmware they're running, and then search for firmware updates, if they exist for their products.
Eclypsium said Vertiv never responded to its communications in regards to the security flaws. ZDNet reached out for comment before this article's publication.
Vertiv update 1 [July]:
"We are aware of the reports regarding some older versions of our products," a Vertiv spokesperson told us in an email. "We are evaluating the matter and will determine if any actions should be taken. We will be able to share more information as soon as we complete our evaluation."
Vertiv update 2 [October]:
"As a leading provider of BMC firmware to the OEM community, Avocent began working with key customers as early as 2012, before it was common in the industry, to encrypt and provide verification that the software or firmware being updated was from a trusted source. In 2014, Avocent released a feature upgrade for the MergePoint EMS BMC firmware platform that included verification signing. During the past year, we were alerted to the command line concern and quickly developed and released a patch for our customers.
"We are not aware of any issues related to this, and it's important to note that the issue identified by the researcher could not have been used to penetrate a network or system. Only someone with access to the system could exploit it.
"We appreciate researchers bringing matters like this to our attention. It helps strengthen our products, and provides an opportunity to remind all consumers and businesses to regularly install software updates and patches to keep their systems current."
Article updated on July 18, at 4:15am ET, with comment from a Vertiv spokesperson, and then on October 22 with an updated statement.
More vulnerability reports:
- Vulnerabilities found in GE anesthesia machines
- Tor Project to fix bug used for DDoS attacks on Onion sites for years
- Kubernetes CLI tool security flaw lets attackers run code on host machine
- Backdoor found in Ruby library for checking for strong passwords
- Microsoft Excel Power Query feature can be abused for malware distribution
- Cirque du Soleil app gives attackers same admin rights as operators
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic