Severe Firmware Vulnerabilities Found In Popular Supermicro Server Products

An anonymous reader quotes a report from Bleeping Computer: Security researchers have uncovered vulnerabilities affecting the firmware of the very popular Supermicro enterprise-line server products. These vulnerabilities affect both older and newer models of Supermicro products, but the vendor is working on addressing the issues. These vulnerabilities do not put the safety of Supermicro products at direct risk, as they can only be exploited via malicious software/code (aka malware) already running on a system. Nevertheless, exploiting these vulnerabilities allows the malware to obtain an almost permanent foothold on infected systems by gaining the ability to survive server OS reinstalls by hiding in the hardware's firmware. Technical details are available in an Eclypsium blog post, while a list of affected servers is available here.

TLDR: root can update the firmware, isn't signed

[raymorris]

To summarize the article, in some instances the administrator can update firmware. The hardware doesn't require that the firmware be signed, so you can use your own firmware. That means if a bad guy has full control of your system, he could install malicious firmware.

Action to take:
If a system gets rooted, consider updating firmware for disk controllers and such before you re-install the OS.

By the way, quite separate from this story, you DO need to re-install the OS if you get a root kit. It's impossible to reliably "clean up" a rooted system without reinstalling, and that has always been true. This story reminds us to do the firmware as well if you get rooted.

What the hell happened to a write jumper?

Why is the solution to everything these days to incorporate firmware signing when a simple write jumper on a PCB would protect the system far better than any sort of encryption ever could?

You can't write to a chip if that functionality is electrically disabled. This should be fucking standard on server hardware. Make the write enable a physical switch on the back of the machine. In order to flash system, you have to turn it off, press that button, and turn it on again. Once the system is rebooted, the write enable unlatches and returns to a protected state.

Instead, everyone is freaking out about firmware signing this, firmware signing that. What if I want to install my own custom firmware? It's not totally inconceivable that someone might want to do that. I remember flashing a custom BIOS to a 586 system once to unlock support for the AMD K6-2 CPUs. More recently I had to splice in some updated firmware for an Intel CPU onto a board that was no longer receiving updates. It's impossible to do this if the firmware is signed, which, again, there is no real reason for because the write pins for the chip holding your firmware should be protected by some sort of physical setup.

Re:What the hell happened to a write jumper?

[Junta]

Because the write jumper on the board would be left in 'write' position by most people and offer no protection is the short answer.

There was even a brief period where the jumper you described actually did exist for some vendors (it was 'bypass signing') but it was used as a debug tool and undocumented for the users. Eventually security folks declared that to be too risky in the face of the chance of a supply chain attack. Middle-men along the product's journey to the customer can mess with jumpers and dip switches all day long.