12 comments

[ 84.7 ms ] story [ 1903 ms ] thread
"Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected. ... BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. ... In general, BMCs should be enabled only when needed and locked down carefully, as they allow for extraordinary control of entire fleets of servers with simple HTTP requests sent over the Internet."

For personal computing, any recommendations on motherboard manufacturers who take security seriously?

> For personal computing, any recommendations on motherboard manufacturers who take security seriously?

Dell Enterprise devices receive long-term security updates. In addition, Dell will happily sell ProSupport for used hardware, and will even transfer existing ProSupport coverage on used devices (e.g. purchased on eBay). ProSupport gets you competent and US-based tech support engineers with the power to solve tech problems and ordering (e.g. spare parts) quickly.

Dell 1L micro PCs / thin clients are affordable on the used market.

There's a modern MSI Intel motherboard with coreboot support, https://www.phoronix.com/news/Coreboot-Start-ADL-MSI-Dasharo

> ProSupport gets you competent and US-based tech support engineers with the power to solve tech problems and ordering (e.g. spare parts) quickly.

10 years ago I bought a refurb alienware tower really cheap. It, however, came with some "premium" alienware warranty plan. I really can't remember the details anymore, but I encountered a bug in the drivers/software for something on the machine. When I called them about it, I ended up getting US support and they made a ticket for the engineering department. They fixed the issue and called me a week later to thank me for the info and make sure I'd installed the new version of their stuff.

I was blown away that they had that level of support for not-enterprise hardware lol.

Their normal support is indeed terrible though. Some time later I bought my brother a refurb all-in-one and the DVD drive died after a few months. When I called about that I got somebody who refused to help me because the bios self-test software didn't give me any error codes - because it didn't generate any - because the dvd drive wasn't found at all.

Open source BMC firmware (like OpenBMC) is an option now. You can try to find hardware that's been ported.
> With no fixes available from Intel or Lenovo, there’s not much users of these affected hardware can do. It’s worth mentioning explicitly, however, that the severity of the lighttpd vulnerability is only moderate and is of no value unless an attacker has a working exploit for a much more severe vulnerability.

For unsupported but functional hardware with vulnerable BMCs, it would be helpful to have a toolkit (e.g. stacking multiple exploits) for hardware owners to replace the vulnerable software with OpenBMC, https://github.com/openbmc/openbmc.

Abandoned hardware owners could crowdfund an effort to add OpenBMC compatibility testing for their devices. This also falls under the rubric of repairability technology and a circular economy for electronics.

Ideally, we'd be able to buy new boards that use openbmc rather than whatever bespoke garbage vendors bundle these days.
I expect if you hook a machine up through an on-board ethernet port, it might be vulnerable.

Can you really prevent this with a bios setting?

would using a 3rd party (pcie or usb) ethernet adapter prevent it?

Depends. Some super micro boards, the BMC interface was shared with primary on board NIC and could be disabled. Some were a separate port. Iirc, using a separate third party NIC would prevent BMC functionality
Unfortunately Supermicro motherboards some time ago were known to shift the BMC to a regular NIC if the dedicated NIC wasn't alive.
Former server product manager here.... small nitpick. AMI does not manufacture BMC chipsets. They develop the firmware (like AMI MegaRAC SP-X) that is loaded into the BMC.

I've never heard of AETN before? I thought maybe they could be Insyde, a competitor to AMI, out of Taiwan, who also develops BMC firmware, but could not find a connection with "AETN." Phoenix is another BMC firmware developer although they've been focusing on OpenBMC.

ASPEED out of Taiwan is huge in the BMC chip business. There are some new FPGA based implementations for BMC / BMC-like cards based on standards that have come out of the open compute group... pretty cool stuff.

I would always treat the BMC authentication as an additional layer of defense. That is, don't expose it on untrusted networks in the first place.
If you insert enogh backdoors,, some of them will remain undetected.