Inkampani ye-Eclypsium Ubuthathaka obubini kwi-firmware yomlawuli we-BMC enikezelwe kwiiseva zeLenovo ThinkServer, evumela umsebenzisi wasekhaya ukuba atshintshe i-firmware okanye enze ikhowudi engafanelekanga kwicala le-chip ye-BMC.
Uhlalutyo olongezelelweyo lubonise ukuba ezi ngxaki zichaphazela i-firmware yabalawuli be-BMC abasetyenziswa kwiiplatifti ze-server ze-Gigabyte Enterprise Servers, ezikwasetyenziswa kwiiseva ezivela kwiinkampani ezifana ne-Acer, AMAX, Bigtera, Ciara, Penguin Computing kunye ne-sysGen. Abalawuli be-BMC abanengxaki basebenzise i-firmware ye-MergePoint EMS esesichengeni ephuhliswe ngumthengisi wesithathu uAvocent (ngoku icandelo leVertiv).
Ubuthathaka bokuqala bubangelwa kukunqongophala kokuqinisekiswa kwe-cryptographic yohlaziyo lwe-firmware ekhutshelweyo (kuphela ukuqinisekiswa kwe-CRC32 checksum kuyasetyenziswa, ngokuchaseneyo. I-NIST isebenzisa iisignesha zedijithali), evumela umhlaseli ngokufikelela kwendawo kwisistim ukuba ahlasele i-firmware ye-BMC. Ingxaki, umzekelo, ingasetyenziselwa ukudibanisa ngokunzulu i-rootkit ehlala isebenza emva kokufaka kwakhona inkqubo yokusebenza kunye neebhloko eziqhubekayo zohlaziyo lwe-firmware (ukuphelisa i-rootkit, kuya kufuneka usebenzise umdwelisi weprogram ukuze ubhale kwakhona i-SPI flash).
Ubuthathaka besibini bukhona kwikhowudi yohlaziyo lwe-firmware kwaye ikuvumela ukuba ufake endaweni yemiyalelo yakho, eya kwenziwa kwi-BMC kunye nenqanaba eliphezulu lamalungelo. Ukuhlasela, kwanele ukutshintsha ixabiso leparamitha ye-RemoteFirmwareImageFilePath kwifayile yokucwangcisa i-bmcfwu.cfg, apho indlela eya kumfanekiso we-firmware ehlaziyiweyo inqunywe. Ngexesha lohlaziyo olulandelayo, olunokuqaliswa ngomyalelo kwi-IPMI, le parameter iya kuqhutyelwa phambili yi-BMC kwaye isetyenziswe njengenxalenye ye-popen () umnxeba njengenxalenye yomgca we /bin/sh. Ukusukela ukuba umgca wokuvelisa umyalelo weqokobhe udalwe kusetyenziswa i-snprintf () umnxeba ngaphandle kokucoca ngokufanelekileyo abasebenzi abakhethekileyo, abahlaseli banokubeka endaweni yekhowudi yabo ukuze baphumeze. Ukuxhaphaza ubuthathaka, kufuneka ube namalungelo akuvumela ukuba uthumele umyalelo kumlawuli we-BMC nge-IPMI (ukuba unamalungelo omlawuli kumncedisi, ungathumela umyalelo we-IPMI ngaphandle koqinisekiso olongezelelweyo).
UGigabyte kunye noLenovo baziswe ngeengxaki emva kweJulayi 2018 kwaye bakwazi ukukhulula ukuhlaziywa ngaphambi kokuba ulwazi luvezwe esidlangalaleni. Lenovo inkampani uhlaziyo lwe-firmware ngoNovemba 15, i-2018 ye-ThinkServer RD340, TD340, RD440, RD540 kunye neeseva ze-RD640, kodwa yaphelisa kuphela ubuthathaka kubo obuvumela ukutshintshwa komyalelo, ukususela ngexesha lokudalwa komgca weeseva ezisekelwe kwi-MergePoint EMS kwi-2014, i-firmware. uqinisekiso lwenziwa kusetyenziswa utyikityo lwedijithali lwalungekasasazeki kwaye aluzange lubhengezwe ekuqaleni.
Nge-8 kaMeyi kulo nyaka, iGigabyte ikhuphe uhlaziyo lwe-firmware yeebhodi zomama kunye nesilawuli se-ASPEED AST2500, kodwa njengeLenovo, yalungisa kuphela ubungozi bokutshintsha komyalelo. Iibhodi ezisesichengeni ezisekwe kwi-ASPEED AST2400 zihlala zingenahlaziyo okwangoku. Gigabyte nayo malunga notshintsho ekusebenziseni i-MegaRAC SP-X firmware esuka kwi-AMI. Kubandakanya i-firmware entsha esekwe kwi-MegaRAC SP-X iya kubonelelwa kwiinkqubo ezithunyelwe ngaphambili kunye ne-firmware ye-MergePoint EMS. Esi sigqibo silandela isibhengezo se-Vertiv sokuba ayisayi kuphinda ixhase iqonga le-MergePoint EMS. Kwangaxeshanye, akukho nto ichaziweyo malunga nohlaziyo lwe-firmware kwiiseva ezenziwe ngu-Acer, AMAX, Bigtera, Ciara, Penguin Computing kunye ne-sysGen esekwe kwiibhodi zeGigabyte kwaye zixhotyiswe nge-firmware ye-MergePoint EMS esengozini.
Masikhumbule ukuba i-BMC isilawuli esikhethekileyo esifakwe kwiiseva, esine-CPU, imemori, indawo yokugcina kunye ne-sensor polling interfaces, ebonelela nge-interface ephantsi yokubeka iliso kunye nokulawula izixhobo zeseva. Ukusebenzisa i-BMC, kungakhathaliseki ukuba yiyiphi inkqubo yokusebenza esebenza kumncedisi, unokubeka iliso kwimo yeenzwa, ulawule amandla, i-firmware kunye neediski, uququzelele ukubhuthwa okude kwinethiwekhi, uqinisekise ukusebenza kwekhonsoli yokufikelela kude, njl.
umthombo: opennet.ru