Eclypsium Company
Further analysis showed that these problems also affect the firmware of BMC controllers used in Gigabyte Enterprise Servers server platforms, which are also used in servers from companies such as Acer, AMAX, Bigtera, Ciara, Penguin Computing and sysGen. The problematic BMCs used vulnerable MergePoint EMS firmware developed by third party vendor Avocent (now a division of Vertiv).
The first vulnerability is caused by the lack of cryptographic verification of downloaded firmware updates (only CRC32 checksum verification is used, contrary to
The second vulnerability is present in the firmware update code and allows substitution of custom commands that will be executed in the BMC with the highest level of privileges. To attack, it is enough to change the value of the RemoteFirmwareImageFilePath parameter in the bmcfwu.cfg configuration file, through which the path to the image of the updated firmware is determined. During the next update, which can be initiated by a command in IPMI, this parameter will be processed by the BMC and used as part of the popen() call as part of the string for /bin/sh. Since the string to form the shell command is created using the snprintf() call without proper escape of special characters, attackers can substitute their own code for execution. To exploit the vulnerability, you must have rights that allow you to send a command via IPMI to the BMC controller (if you have administrator rights on the server, you can send an IPMI command without additional authentication).
Gigabyte and Lenovo were aware of the issues as early as July 2018 and released updates prior to public disclosure. Lenovo
On May 8 this year, Gigabyte released firmware updates for motherboards with the ASPEED AST2500 controller, but like Lenovo, they only fixed the command substitution vulnerability. Vulnerable boards based on ASPEED AST2400 are not yet updated. gigabyte also
Recall that BMC is a specialized controller installed in servers that has its own CPU, memory, storage and sensor polling interfaces, which provides a low-level interface for monitoring and controlling server hardware. With the help of BMC, regardless of the operating system running on the server, you can monitor the status of sensors, manage power, firmware and disks, organize remote boot over the network, ensure the operation of the remote access console, etc.
Source: opennet.ru