Slashdot Mirror
Severe Firmware Vulnerabilities Found In Popular Supermicro Server Products (bleepingcomputer.com)
An anonymous reader quotes a report from Bleeping Computer: Security researchers have uncovered vulnerabilities affecting the firmware of the very popular Supermicro enterprise-line server products. These vulnerabilities affect both older and newer models of Supermicro products, but the vendor is working on addressing the issues. These vulnerabilities do not put the safety of Supermicro products at direct risk, as they can only be exploited via malicious software/code (aka malware) already running on a system. Nevertheless, exploiting these vulnerabilities allows the malware to obtain an almost permanent foothold on infected systems by gaining the ability to survive server OS reinstalls by hiding in the hardware's firmware. Technical details are available in an Eclypsium blog post, while a list of affected servers is available here.
To summarize the article, in some instances the administrator can update firmware. The hardware doesn't require that the firmware be signed, so you can use your own firmware. That means if a bad guy has full control of your system, he could install malicious firmware.
Action to take:
If a system gets rooted, consider updating firmware for disk controllers and such before you re-install the OS.
By the way, quite separate from this story, you DO need to re-install the OS if you get a root kit. It's impossible to reliably "clean up" a rooted system without reinstalling, and that has always been true. This story reminds us to do the firmware as well if you get rooted.
I wish that was funny. :(
We turned our back on God and now we reap the reward.
I'm afraid you retards lost the first round because in the time it takes to read this an uneducated racist will shoot himself or a family member while cleaning / masturbating their gun.
My condolences go out to the families of the uneducated racists who will accidentally shoot themselves this week. Thank you for improving the gene pool.
These people just won't stop until he's gone. What happens when they lose the next election. Do you think they are just going to keep taking it. They'll blame the elections are not fair and probably not worth the time. Dictatorships and tyranny start from the left. Beware..
If it's an Intel server with TXT and has a TPM, sysadmin can monitor the firmware installed periodically and detect if it's not what is expected.
I'm just going to say this. I don't know what the deal is with Supermicro and firmware updates. For various products I admin they only have the latest version firmware available on their site with no ability to download previous releases and there are absolutely no change logs to be found. For an enterprise brand I expect more.
Keep it up shitlib. We're here waiting for you to try and take them. I spent more money on ammo every month for the last 6 years than I did on my mortgage payment, car payment, internet payment and power bill combined.
The only thing your bitch ass will ever achieve is to bet the 5th Trump supporter to shoot up an elementary school this year.
While you sit at home jacking off your gun I'm in my backyard swimming with my dogs and girlfriend.
Your violent fantasies will never amount to anything greater than a mid-level Trump inspired mass shooting that uneducated racists will blame on liberals while they masturbate their guns even harder.
Hopefully you will blow your brains out before you kill to many innocent children, or at least shoot off your tiny penis before you reproduce with a white trashy whale.
Keep sipping your cancer causing Star Bucks latte and keep pushing the auto pilot mode on your Tesla. We'll see who lasts longer.
This is what happens when a MicroPenis gets out of control and starts betraying its country.
Why is the solution to everything these days to incorporate firmware signing when a simple write jumper on a PCB would protect the system far better than any sort of encryption ever could?
You can't write to a chip if that functionality is electrically disabled. This should be fucking standard on server hardware. Make the write enable a physical switch on the back of the machine. In order to flash system, you have to turn it off, press that button, and turn it on again. Once the system is rebooted, the write enable unlatches and returns to a protected state.
Instead, everyone is freaking out about firmware signing this, firmware signing that. What if I want to install my own custom firmware? It's not totally inconceivable that someone might want to do that. I remember flashing a custom BIOS to a 586 system once to unlock support for the AMD K6-2 CPUs. More recently I had to splice in some updated firmware for an Intel CPU onto a board that was no longer receiving updates. It's impossible to do this if the firmware is signed, which, again, there is no real reason for because the write pins for the chip holding your firmware should be protected by some sort of physical setup.
You guys just sit around Slashdot waiting for a new story to appear on the front page of Slashdot so you can post your same Trump crap over and over again? Sad.
Unless TXT is compromised by SMM infection. https://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20paper.pdf
So, according to the article, to find out whether your Supermicro system is vulnerable to this, you install chipsec and then run: "chipsec_main -m common.spi_access" The article says: "If this test fails, then the current descriptor values offer no protection, because they can be changed." When I run it, I get:
ERROR: Exception occurred during import of chipsec.modules.common.spi_access: 'No module named spi_access'
ERROR: Exception occurred during chipsec.modules.common.spi_access.run(): 'No module named spi_access'
So, is the lack of a module called spi_access the same as a failure?
I's not impossible to clean up a system with a root kit without reinstalling; it's just impossible to actually know you're done with the cleanup.
On the contrary, reinstalling the OS is no guarantee that you got rid of your root kit, especially not if your firmware is compromised.
CLI paste? paste.pr0.tips!
Pepperidge farms remembers
Just like the top comment on that story, if you use supermicro, you deserve what you get. It has been conclusively proven time and again that they do not take security seriously.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Ring currently sends info to CHina. This has NOT been cleaned up. I would have thought that Amazon buying ring would force them to clean up their act.
Are others still seeing their Ring send packets to china?
I prefer the "u" in honour as it seems to be missing these days.
My mod points are out, but this post deserves +5.
See subject: Tell me your REAL name, address & phone # so we can meet in person to settle this face to face/man to man you "not man" weasel.
OK?
APK
P.S.=> Pray to God I never find out who & where you are... apk
My afflicted X9SAE under FreeBSD routinely had uptimes over a year. Until we moved.
Now we reside in a charming garden community, almost exactly between the sea and a middling—but very busy—all-purpose international airport (flight school, helicopter base, many small planes, in addition to all the commercial jets and turboprops). This whole show is close enough to the sea that there's actually a gate in the security fence at the far end of the long runway (and a brightly painted tow path over a semi-major local artery) for schizophrenic seaplanes to toggle between wet feathers and dry feathers (though I've never seen it used; plus it routes around customs, so the paperwork and oversight would be decidedly non-trivial).
Here the Hydro powers-that-be, a few years back, replaced all the old wooden power poles with new concrete poles, only to later discover that the concrete poles were defectively engineered, so they would come out every three to six months to replace another one (cue a youthful, as-yet-unknown Weird Al bleating out "another day off the grid").
All the swanky new new poles are wood again.
Setting aside the Homer Simpson Hydro problem (doh!), I basically haven't experienced a single outage or fault on this build, either due to hardware or software, since I removed a bad 4-port network card in the fall of 2012, in its first month of life.
So I guess this is definitely a case of "deserve what you get" half full, because this particular board is the most rock-solid board I've ever deployed ("full" disclosure: sample size N=1).
This modulo a power company that can't successfully deploy concrete poles that don't randomly snap in half (I presume this is the terrifying failure mode that necessitates full road-closure, tandem cherry picker and flatbed crane, crewed by a reflective-vest six-pack of union labour, to show up and perform a six–eight hour field replacement); this additionally modulo a hardware company with none of the same hardware quality problems as my local Hydro company, but with shit for BIOS.
Between Intel and Supermicro, I must confess this whole thing is indeed a bit of a bummer.
Intel's face palm—Spectre—makes my isolation jails worthless. Supermicro's face palm turns any jail escape into a secret-volcanic-island undersea laser lair, there to reside until hell freezes over, which might very well arrive before my next core dump, on this amazing piece of kit—at least as viewed by the brilliantly marshalled electrons (if they can manage to get here, in the first place, which was Weird Al territory in this garden-by-the-noisy-sea community for a bad stretch, of late).
Welcome to paradise, half full.
Bitter segfault at #JADEDDEADBEEFCAFE
(Some security-addled Supermicro segfaults are worse that others. That particular one would worry me sick.)
No they don't, I've got small feet, but ...oh, hang on wheres the cancel button.
While I completely agree with your comment, it is entirely off topic and shouldn't be posted here.
, This is a great article. It gave me a lot of useful information. thank you very much. Link profile: https://dakhoaauahcm.vn/phong-...