Khampani ea Eclypsium mefokolo e 'meli ho firmware ea molaoli oa BMC e fanoeng ho li-server tsa Lenovo ThinkServer, e lumellang mosebelisi oa lehae ho fetola firmware kapa ho etsa khoutu e hanyetsanang lehlakoreng la chip ea BMC.
Tlhahlobo e eketsehileng e bontšitse hore mathata ana a boetse a ama firmware ea balaoli ba BMC e sebelisoang ho li-server tsa Gigabyte Enterprise Servers, tse sebelisoang hape ho li-server tse tsoang lik'hamphani tse kang Acer, AMAX, Bigtera, Ciara, Penguin Computing le sysGen. Balaoli ba bothata ba BMC ba sebelisitse firmware ea MergePoint EMS e tlokotsing e ntlafalitsoeng ke morekisi oa mokha oa boraro Avocent (eo hona joale e leng karolo ea Vertiv).
Kotsi ea pele e bakoa ke khaello ea netefatso ea "cryptographic" ea liapdeite tsa firmware tse jarollotsoeng (ho sebelisoa feela netefatso ea CRC32 checksum, ho fapana le hoo. NIST e sebelisa li-signature tsa dijithale), e lumellang mohlaseli ea nang le phihlello ea lehae ea sistimi ho senya firmware ea BMC. Bothata, ka mohlala, bo ka sebelisoa ho kopanya ka botebo rootkit e lulang e sebetsa ka mor'a ho tsosolosa mokhoa oa ho sebetsa le ho thibela lisebelisoa tse ling tsa firmware (ho felisa rootkit, o tla hloka ho sebelisa moqapi ho ngola hape SPI flash).
Bofokoli ba bobeli bo teng ka har'a khoutu ea ntlafatso ea firmware mme bo u lumella ho kenya litaelo tsa hau sebakeng sa BMC ka maemo a phahameng ka ho fetisisa a litokelo. Ho hlasela, ho lekane ho fetola boleng ba parameter ea RemoteFirmwareImageFilePath ho faele ea tlhophiso ea bmcfwu.cfg, eo ka eona tsela e eang setšoantšong sa firmware e ntlafalitsoeng e ikemiselitseng. Nakong ea ntlafatso e latelang, e ka qalisoang ka taelo ho IPMI, parameter ena e tla sebetsoa ke BMC 'me e sebelisoe e le karolo ea popen() call e le karolo ea mohala oa /bin/sh. Kaha mohala oa ho hlahisa taelo ea khetla o etsoa ho sebelisoa mohala oa snprintf () ntle le ho hloekisa hantle litlhaku tse khethehileng, bahlaseli ba ka kenya khoutu ea bona bakeng sa ho bolaoa. Ho sebelisa monyetla oa ho ba kotsing, o tlameha ho ba le litokelo tse u lumellang hore u romele taelo ho molaoli oa BMC ka IPMI (haeba u na le litokelo tsa motsamaisi ho seva, u ka romela taelo ea IPMI ntle le netefatso e eketsehileng).
Gigabyte le Lenovo ba ile ba tsebisoa ka mathata morao koana ka Phupu 2018 mme ba khona ho lokolla lintlafatso pele tlhahisoleseling e senoloa phatlalatsa. Khamphani ea Lenovo lintlafatso tsa firmware ka la 15 Pulungoana 2018 bakeng sa li-server tsa ThinkServer RD340, TD340, RD440, RD540 le RD640, empa li felisitse feela ts'ebotsi ho tsona e lumellang sebaka sa taelo, ho tloha nakong ea ho theha mohala oa li-server tse thehiloeng ho MergePoint EMS ka 2014, firmware. netefatso e ile ea etsoa ho sebelisoa signature ea dijithale e ne e e-so atame ebile ha e e-so phatlalatsoe qalong.
Ka la 8 Mots'eanong selemong sena, Gigabyte e ile ea lokolla lintlafatso tsa firmware bakeng sa liboto tsa bo-mme tse nang le molaoli oa ASPEED AST2500, empa joalo ka Lenovo, e ile ea lokisa feela ts'oaetso ea ho kenya taelo. Liboto tse tlokotsing tse thehiloeng ho ASPEED AST2400 li lula li se na lintlafatso hajoale. Gigabyte hape mabapi le phetoho ea ho sebelisa MegaRAC SP-X firmware ho tloha AMI. Ho kenyelletsa le firmware e ncha e thehiloeng ho MegaRAC SP-X e tla fanoa bakeng sa litsamaiso tse neng li rometsoe pele ka firmware ea MergePoint EMS. Qeto ena e latela phatlalatso ea Vertiv ea hore ha e sa tla hlola e tšehetsa sethala sa MergePoint EMS. Ka nako e ts'oanang, ha ho letho le tlalehiloeng mabapi le lisebelisoa tsa firmware ho li-server tse entsoeng ke Acer, AMAX, Bigtera, Ciara, Penguin Computing le sysGen e thehiloeng ho liboto tsa Gigabyte 'me e na le firmware ea MergePoint EMS e tlokotsing.
A re hopoleng hore BMC ke molaoli ea khethehileng ea kentsoeng ka har'a li-server, tse nang le li-interfaces tsa eona tsa CPU, memori, polokelo le li-sensor polling, tse fanang ka sebopeho sa boemo bo tlaase bakeng sa ho shebella le ho laola lisebelisoa tsa seva. U sebelisa BMC, ho sa tsotelehe sistimi e sebetsang ho seva, o ka hlokomela boemo ba li-sensor, ho laola matla, firmware le li-disks, ho hlophisa booting e hole holim'a marang-rang, ho netefatsa ts'ebetso ea komporo ea phihlello e hole, jj.
Source: opennet.ru