Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Technology

Severe Firmware Vulnerabilities Found In Popular Supermicro Server Products (bleepingcomputer.com) 45

An anonymous reader quotes a report from Bleeping Computer: Security researchers have uncovered vulnerabilities affecting the firmware of the very popular Supermicro enterprise-line server products. These vulnerabilities affect both older and newer models of Supermicro products, but the vendor is working on addressing the issues. These vulnerabilities do not put the safety of Supermicro products at direct risk, as they can only be exploited via malicious software/code (aka malware) already running on a system. Nevertheless, exploiting these vulnerabilities allows the malware to obtain an almost permanent foothold on infected systems by gaining the ability to survive server OS reinstalls by hiding in the hardware's firmware. Technical details are available in an Eclypsium blog post, while a list of affected servers is available here.

Severe Firmware Vulnerabilities Found In Popular Supermicro Server Products

Comments Filter:
  • by raymorris ( 2726007 ) on Thursday June 07, 2018 @10:17PM (#56747072) Journal

    To summarize the article, in some instances the administrator can update firmware. The hardware doesn't require that the firmware be signed, so you can use your own firmware. That means if a bad guy has full control of your system, he could install malicious firmware.

    Action to take:
    If a system gets rooted, consider updating firmware for disk controllers and such before you re-install the OS.

    By the way, quite separate from this story, you DO need to re-install the OS if you get a root kit. It's impossible to reliably "clean up" a rooted system without reinstalling, and that has always been true. This story reminds us to do the firmware as well if you get rooted.

    • by fisted ( 2295862 )

      I's not impossible to clean up a system with a root kit without reinstalling; it's just impossible to actually know you're done with the cleanup.

      On the contrary, reinstalling the OS is no guarantee that you got rid of your root kit, especially not if your firmware is compromised.

    • My mod points are out, but this post deserves +5.
  • by Anonymous Coward

    I'm just going to say this. I don't know what the deal is with Supermicro and firmware updates. For various products I admin they only have the latest version firmware available on their site with no ability to download previous releases and there are absolutely no change logs to be found. For an enterprise brand I expect more.

    • by Junta ( 36770 )

      Unfortunately, expect this to be more normal. If there's any whiff of a security issue with an older firmware, companies are afraid of being downright liable for problems with users voluntarily running older firmware.

      The security issue can be absolutely zero risk (either unused path, implausible attack vector in the context, or even not having the code at all but updating because people assume it would), but it's just too scary to take a chance.

    • by pnutjam ( 523990 )
      Google's apps all have changelogs that just say "bugs fixed".

      No shit sherlock, what the fuck did you do to fix them? Which bugs?
  • by Anonymous Coward on Friday June 08, 2018 @01:04AM (#56747576)

    Why is the solution to everything these days to incorporate firmware signing when a simple write jumper on a PCB would protect the system far better than any sort of encryption ever could?

    You can't write to a chip if that functionality is electrically disabled. This should be fucking standard on server hardware. Make the write enable a physical switch on the back of the machine. In order to flash system, you have to turn it off, press that button, and turn it on again. Once the system is rebooted, the write enable unlatches and returns to a protected state.

    Instead, everyone is freaking out about firmware signing this, firmware signing that. What if I want to install my own custom firmware? It's not totally inconceivable that someone might want to do that. I remember flashing a custom BIOS to a 586 system once to unlock support for the AMD K6-2 CPUs. More recently I had to splice in some updated firmware for an Intel CPU onto a board that was no longer receiving updates. It's impossible to do this if the firmware is signed, which, again, there is no real reason for because the write pins for the chip holding your firmware should be protected by some sort of physical setup.

    • by sjames ( 1099 )

      ^THIS^ A thousand times over!

    • it's hard to flip the switch when the box is in a datacenter 2000 miles away and you're updating firmware remotely.

      • it's hard to flip the switch when the box is in a datacenter 2000 miles away and you're updating firmware remotely.

        DC employees are there just to flip switches. Make it a jumper on the board that you can then bring out to a case switch.

    • by Junta ( 36770 ) on Friday June 08, 2018 @08:44AM (#56748862)

      Because the write jumper on the board would be left in 'write' position by most people and offer no protection is the short answer.

      There was even a brief period where the jumper you described actually did exist for some vendors (it was 'bypass signing') but it was used as a debug tool and undocumented for the users. Eventually security folks declared that to be too risky in the face of the chance of a supply chain attack. Middle-men along the product's journey to the customer can mess with jumpers and dip switches all day long.

    • I'm fine with a jumper. I'd be fine with a toggle in the firmware that defaulted to on that controlled whether the firmware was write-protected. I'm NOT happy with firmware that can only be signed by the manufacturer. I have a specific example of a time where I was very glad that SuperMicro boards don't require signing! I'd been building a high-speed workstation for a client. An NVME drive had been purchased to function as the only drive, but the purchaser forgot to check if it had an boot/option rom for
  • Pepperidge farms remembers [slashdot.org]

    Just like the top comment on that story, if you use supermicro, you deserve what you get. It has been conclusively proven time and again that they do not take security seriously.

    • Just like the top comment on that story, if you use supermicro, you deserve what you get.

      My afflicted X9SAE under FreeBSD routinely had uptimes over a year. Until we moved.

      Now we reside in a charming garden community, almost exactly between the sea and a middling—but very busy—all-purpose international airport (flight school, helicopter base, many small planes, in addition to all the commercial jets and turboprops). This whole show is close enough to the sea that there's actually a gate in the s

  • Ring currently sends info to CHina. This has NOT been cleaned up. I would have thought that Amazon buying ring would force them to clean up their act.
    Are others still seeing their Ring send packets to china?
  • , This is a great article. It gave me a lot of useful information. thank you very much. Link profile: https://dakhoaauahcm.vn/phong-... [dakhoaauahcm.vn]

Research is what I'm doing when I don't know what I'm doing. -- Wernher von Braun