The firmware responsible for the remote management features of Supermicro servers contains vulnerabilities that allow attackers to gain a permanent foothold on servers even after OS reinstalls, and open closed systems to remote attacks.
According to a report authored by Eclypsium researchers and shared with ZDNet prior to publication, the vulnerabilities affect the firmware of baseboard management controllers (BMCs).
BMCs are components part of the larger Intelligent Platform Management Interface (IPMI). IPMI is a collection of tools usually found on servers and workstations deployed on enterprise networks that allow sysadmins to manage systems from remote locations.
The BMC is a component that contains its own CPU, storage system, and LAN interface that allows a remote admin to connect to or send instructions to the PC/server to perform various operations, such as modify OS settings, reinstall the OS, or update drivers.
Eclypsium researchers said they found that the firmware of BMC components included with Supermicro servers contains some dangerous design flaws.
"We found that the BMC code responsible for processing and applying firmware updates does not perform cryptographic signature verification on the provided firmware image before accepting the update and committing it to non-volatile storage." Eclypsium researchers said.
"This effectively allows the attacker to load modified code onto the BMC."
Researchers say attackers could rewrite the BMC firmware by providing a malicious firmware update that the BMC does not verify foor authenticity and force a BMC firmware update, rewriting the legitimate firmware.
They can then hide their own code inside the BMC component, separate from the rest of the computer, code that could be used to let attackers control PCs from afar, survive OS wipes or reinstalls, or even remotely wipe computers in sabotage operations.
In an interview with ZDNet, Yuriy Bulygin, CEO and Co-founder of Eclypsium said this vulnerability is locally exploitable, but also remotely exploitable in some cases.
Attackers would need software running on the target's system with root privileges to modify Supermicro BMC firmware code, but if the attacker manages to get hold of admin credentials for the IPMI interface, this attack can be exploited remotely from the same network or the Internet.
Eclypsium says all X8 through X11 generation Supermicro servers are vulnerable to this flaw. They say they contacted Supermicro with their findings.
Supermicro responded by enforcing BMC firmware signature checks at update time for all new Supermicro products.
Cryptographic signatures have also been added to X10 and X11 Supermicro servers, but the feature is not enabled by default for customers who upgrade from older platforms. The company has set up a support page for customers upgrading to the new X10/X11 platforms with information on how they can enable BMC firmware cryptographic signature checks.
But Supermicro is also not the only vendor affected.
"We reported to Supermicro and another major server vendor," Bulygin told ZDNet. "Unfortunately, we are still coordinating the disclosure with that vendor and cannot name them."
The full Eclypsium report containing more in-depth technical details about the flaws researchers found is scheduled to go live later today on the Eclypsium blog.
This is the second firmware-related vulnerability Eclypsium researchers found affecting Supermicro products. They previously disclosed another issue in June that allowed attackers to modify Descriptor Region settings of Supermicro products. This, too, allowed local software running on the OS to overwrite Supermicro firmware.