Eclypsium Company two vulnerabilities in the firmware of the BMC controller shipped with Lenovo ThinkServers that allow a local user to change the firmware or execute arbitrary code on the side of the BMC chip.
Further analysis showed that these problems also affect the firmware of BMC controllers used in Gigabyte Enterprise Servers server platforms, which are also used in servers from companies such as Acer, AMAX, Bigtera, Ciara, Penguin Computing and sysGen. The problematic BMCs used vulnerable MergePoint EMS firmware developed by third party vendor Avocent (now a division of Vertiv).
The first vulnerability is caused by the lack of cryptographic verification of downloaded firmware updates (only CRC32 checksum verification is used, contrary to NIST to use digital signatures), which allows an attacker with local access to the system to change the BMC firmware. The problem, for example, can be used to deeply integrate a rootkit that remains active after reinstalling the operating system and blocks further firmware updates (to eliminate the rootkit, you will need to use a programmer to rewrite the SPI flash).
The second vulnerability is present in the firmware update code and allows substitution of custom commands that will be executed in the BMC with the highest level of privileges. To attack, it is enough to change the value of the RemoteFirmwareImageFilePath parameter in the bmcfwu.cfg configuration file, through which the path to the image of the updated firmware is determined. During the next update, which can be initiated by a command in IPMI, this parameter will be processed by the BMC and used as part of the popen() call as part of the string for /bin/sh. Since the string to form the shell command is created using the snprintf() call without proper escape of special characters, attackers can substitute their own code for execution. To exploit the vulnerability, you must have rights that allow you to send a command via IPMI to the BMC controller (if you have administrator rights on the server, you can send an IPMI command without additional authentication).
Gigabyte and Lenovo were aware of the issues as early as July 2018 and released updates prior to public disclosure. Lenovo firmware updates on November 15, 2018 for the ThinkServer RD340, TD340, RD440, RD540 and RD640 servers, but fixed only a vulnerability in them that allows command substitution, since during the creation of a line of servers based on MergePoint EMS in 2014, verification of firmware by digital signature was not yet widely distributed and was not originally announced.
On May 8 this year, Gigabyte released firmware updates for motherboards with the ASPEED AST2500 controller, but like Lenovo, they only fixed the command substitution vulnerability. Vulnerable boards based on ASPEED AST2400 are not yet updated. gigabyte also about the transition to the use of firmware MegaRAC SP-X from AMI. Including new firmware based on MegaRAC SP-X will be offered for systems previously supplied with MergePoint EMS firmware. The decision was made following Vertiv's announcement to end support for the MergePoint EMS platform. At the same time, nothing has been reported about updating firmware on servers manufactured by Acer, AMAX, Bigtera, Ciara, Penguin Computing and sysGen based on Gigabyte boards and equipped with vulnerable MergePoint EMS firmware.
Recall that BMC is a specialized controller installed in servers that has its own CPU, memory, storage and sensor polling interfaces, which provides a low-level interface for monitoring and controlling server hardware. With the help of BMC, regardless of the operating system running on the server, you can monitor the status of sensors, manage power, firmware and disks, organize remote boot over the network, ensure the operation of the remote access console, etc.
Source: opennet.ru