Eclypsium Company kusakwana kuviri muiyo firmware yeBMC controller inopihwa muLenovo FungaServer maseva, ichibvumira mushandisi wemuno kuti achinje firmware kana kuita zvekupokana kodhi paBMC chip side.
Kumwe kuongorora kwakaratidza kuti matambudziko aya anokanganisawo firmware yeBMC controllers inoshandiswa muGigabyte Enterprise Servers server mapuratifomu, ayo anoshandiswawo mumaseva kubva kumakambani akadai seAcer, AMAX, Bigtera, Ciara, Penguin Computing uye sysGen. Iwo ane dambudziko BMC controllers akashandisa panjodzi MergePoint EMS firmware yakagadziriswa neyechitatu-bato mutengesi Avocent (ikozvino kupatsanurwa kweVertiv).
Kusagadzikana kwekutanga kunokonzerwa nekushaikwa kwekriptographic verification yekurodha firmware updates (chete CRC32 checksum verification ndiyo inoshandiswa, zvinopesana. NIST inoshandisa siginecha yedhijitari), iyo inobvumira anorwisa nekuwana yemuno kune sisitimu kukanganisa iyo BMC firmware. Dambudziko, semuenzaniso, rinogona kushandiswa kubatanidza zvakadzama rootkit inoramba ichishanda mushure mekudzorera sisitimu yekushandisa uye inovhara mamwe magadzirirwo e firmware (kubvisa iyo rootkit, iwe uchafanirwa kushandisa programmer kunyorazve SPI flash).
Kusagadzikana kwechipiri kuripo mune firmware yekuvandudza kodhi uye inobvumidza iwe kutsiva yako mirairo, iyo inozoitwa muBMC nepamusoro-soro ropafadzo. Kuti urwise, zvakakwana kushandura kukosha kweRemoteFirmwareImageFilePath parameter mu bmcfwu.cfg configuration file, iyo nzira inoenda kumufananidzo we firmware yakagadziridzwa inotsanangurwa. Munguva yekuvandudza kunotevera, iyo inogona kutangwa nemurairo muIPMI, iyi parameter ichagadziriswa neBMC uye inoshandiswa sechikamu chepopen () kufona sechikamu chemutsara we /bin/sh. Sezvo mutsara wekugadzira iyo shell yekuraira wakagadzirwa uchishandisa iyo snprintf () kufona pasina kucheneswa kwakaringana kwemavara akakosha, vanorwisa vanogona kutsiva kodhi yavo kuti vauraye. Kuti utore kusazvibata, unofanirwa kuve nekodzero dzinokutendera kuti utumire murairo kune BMC controller kuburikidza neIPMI (kana uine kodzero dzemaneja pane server, unogona kutumira IPMI kuraira pasina humwe humbowo).
Gigabyte naLenovo vakaziviswa nezvematambudziko kumashure muna Chikunguru 2018 uye vakakwanisa kuburitsa zvigadziriso ruzivo rwusati rwaburitswa pachena. Lenovo kambani firmware inogadziridza munaNovember 15, 2018 yeThinkServer RD340, TD340, RD440, RD540 uye RD640 maseva, asi yakangobvisa kusagadzikana mavari kunobvumira kutsiva kwekuraira, kubvira panguva yekugadzirwa kwemutsara wemaseva wakavakirwa paMergePoint EMS muna 2014, firmware. ongororo yakaitwa pachishandiswa siginecha yedhijitari yakanga isati yapararira uye haina kutanga yaziviswa.
Musi waChivabvu 8 wegore rino, Gigabyte yakaburitsa zvigadziriso zvemabhobho eamai neASPEED AST2500 controller, asi seLenovo, yakangogadzirisa kusagadzikana kwemirairo. Mabhodhi ari munjodzi akavakirwa paASPEED AST2400 anoramba asina zvigadziriso izvozvi. Gigabyte zvakare nezve shanduko yekushandisa MegaRAC SP-X firmware kubva kuAMI. Kusanganisira itsva firmware yakavakirwa paMegaRAC SP-X ichapihwa kune masisitimu akambotumirwa neMergePoint EMS firmware. Sarudzo iyi inotevera chiziviso chaVertiv kuti haichatsigire MergePoint EMS chikuva. Panguva imwecheteyo, hapana chakambotaurwa nezve firmware zvigadziriso pamaseva anogadzirwa neAcer, AMAX, Bigtera, Ciara, Penguin Computing uye sysGen yakavakirwa pamabhodhi eGigabyte uye akashongedzerwa nenjodzi MergePoint EMS firmware.
Ngatiyeukei kuti BMC inyanzvi inodzora yakaiswa mumaseva, ine yayo CPU, ndangariro, chengetedzo uye sensor polling interfaces, iyo inopa yakaderera-level interface yekutarisa uye kutonga server midziyo. Uchishandisa BMC, zvisinei neiyo inoshanda sisitimu inoshanda pane sevha, unogona kutarisa mamiriro emasensa, maneja simba, firmware uye disks, kuronga kure kure booting pamusoro petiweki, simbisa kushanda kweiyo kure yekuwana console, nezvimwe.
Source: opennet.ru