Severe Firmware Vulnerabilities Found In Popular Supermicro Server Products (bleepingcomputer.com) 45
An anonymous reader quotes a report from Bleeping Computer: Security researchers have uncovered vulnerabilities affecting the firmware of the very popular Supermicro enterprise-line server products. These vulnerabilities affect both older and newer models of Supermicro products, but the vendor is working on addressing the issues. These vulnerabilities do not put the safety of Supermicro products at direct risk, as they can only be exploited via malicious software/code (aka malware) already running on a system. Nevertheless, exploiting these vulnerabilities allows the malware to obtain an almost permanent foothold on infected systems by gaining the ability to survive server OS reinstalls by hiding in the hardware's firmware. Technical details are available in an Eclypsium blog post, while a list of affected servers is available here.
Re: (Score:2)
TLDR: root can update the firmware, isn't signed (Score:5, Informative)
To summarize the article, in some instances the administrator can update firmware. The hardware doesn't require that the firmware be signed, so you can use your own firmware. That means if a bad guy has full control of your system, he could install malicious firmware.
Action to take:
If a system gets rooted, consider updating firmware for disk controllers and such before you re-install the OS.
By the way, quite separate from this story, you DO need to re-install the OS if you get a root kit. It's impossible to reliably "clean up" a rooted system without reinstalling, and that has always been true. This story reminds us to do the firmware as well if you get rooted.
Re: (Score:2)
I's not impossible to clean up a system with a root kit without reinstalling; it's just impossible to actually know you're done with the cleanup.
On the contrary, reinstalling the OS is no guarantee that you got rid of your root kit, especially not if your firmware is compromised.
Re: (Score:1)
Supermicro Firmware Updates (Score:1)
I'm just going to say this. I don't know what the deal is with Supermicro and firmware updates. For various products I admin they only have the latest version firmware available on their site with no ability to download previous releases and there are absolutely no change logs to be found. For an enterprise brand I expect more.
Re: (Score:3)
Unfortunately, expect this to be more normal. If there's any whiff of a security issue with an older firmware, companies are afraid of being downright liable for problems with users voluntarily running older firmware.
The security issue can be absolutely zero risk (either unused path, implausible attack vector in the context, or even not having the code at all but updating because people assume it would), but it's just too scary to take a chance.
Re: (Score:2)
No shit sherlock, what the fuck did you do to fix them? Which bugs?
What the hell happened to a write jumper? (Score:3, Insightful)
Why is the solution to everything these days to incorporate firmware signing when a simple write jumper on a PCB would protect the system far better than any sort of encryption ever could?
You can't write to a chip if that functionality is electrically disabled. This should be fucking standard on server hardware. Make the write enable a physical switch on the back of the machine. In order to flash system, you have to turn it off, press that button, and turn it on again. Once the system is rebooted, the write enable unlatches and returns to a protected state.
Instead, everyone is freaking out about firmware signing this, firmware signing that. What if I want to install my own custom firmware? It's not totally inconceivable that someone might want to do that. I remember flashing a custom BIOS to a 586 system once to unlock support for the AMD K6-2 CPUs. More recently I had to splice in some updated firmware for an Intel CPU onto a board that was no longer receiving updates. It's impossible to do this if the firmware is signed, which, again, there is no real reason for because the write pins for the chip holding your firmware should be protected by some sort of physical setup.
Re: (Score:1)
^THIS^ A thousand times over!
Re: What the hell happened to a write jumper? (Score:1)
it's hard to flip the switch when the box is in a datacenter 2000 miles away and you're updating firmware remotely.
Re: (Score:1)
Thanks to Intel the update are very very often now. First was the Spectre/Meltdown one (which Supermicro took to their entire line, EOL or not, kudos to them) and now we will have another for Spectre v3a/v4. Not to mention the looming Spectre-NG which are not yet public and will probably require a new one as well.
Re: (Score:1)
it's hard to flip the switch when the box is in a datacenter 2000 miles away and you're updating firmware remotely.
DC employees are there just to flip switches. Make it a jumper on the board that you can then bring out to a case switch.
Re:What the hell happened to a write jumper? (Score:4)
Because the write jumper on the board would be left in 'write' position by most people and offer no protection is the short answer.
There was even a brief period where the jumper you described actually did exist for some vendors (it was 'bypass signing') but it was used as a debug tool and undocumented for the users. Eventually security folks declared that to be too risky in the face of the chance of a supply chain attack. Middle-men along the product's journey to the customer can mess with jumpers and dip switches all day long.
Re: What the hell happened to a write jumper? (Score:1)
Re: What the hell happened to a write jumper? (Score:1)
Remember when slashdot listed related stories? (Score:2)
Pepperidge farms remembers [slashdot.org]
Just like the top comment on that story, if you use supermicro, you deserve what you get. It has been conclusively proven time and again that they do not take security seriously.
welcome to paradise, half full (Score:3)
My afflicted X9SAE under FreeBSD routinely had uptimes over a year. Until we moved.
Now we reside in a charming garden community, almost exactly between the sea and a middling—but very busy—all-purpose international airport (flight school, helicopter base, many small planes, in addition to all the commercial jets and turboprops). This whole show is close enough to the sea that there's actually a gate in the s
Re: welcome to paradise, half full (Score:2)
So when will amazon/ring clean up? (Score:1)
Are others still seeing their Ring send packets to china?
Phòng Khám a Khoa Âu Á (Score:1)