Inkampani ye-Eclypsium ubungozi obubili ku-firmware yesilawuli se-BMC esinikezwe kumaseva we-Lenovo ThinkServer, okuvumela umsebenzisi wasendaweni ukuthi ashintshe i-firmware noma akhiphe ikhodi engafanele ohlangothini lwe-BMC chip.
Ukuhlaziywa okwengeziwe kubonise ukuthi lezi zinkinga ziphinde zithinte i-firmware yabalawuli be-BMC abasetshenziswa kumapulatifomu eseva ye-Gigabyte Enterprise Servers, aphinde asetshenziswe kumaseva avela ezinkampanini ezifana ne-Acer, AMAX, Bigtera, Ciara, Penguin Computing kanye ne-sysGen. Abalawuli be-BMC abanenkinga basebenzise i-firmware esengozini ye-MergePoint EMS eyakhiwe umthengisi wenkampani yangaphandle u-Avocent (manje oyingxenye ye-Vertiv).
Ukuba sengozini kokuqala kubangelwe ukuntuleka kokuqinisekiswa kwe-cryptographic kwezibuyekezo ze-firmware ezilandiwe (kuphela ukuqinisekiswa kwe-CRC32 checksum kuphela kusetshenziswa, ngokuphambene. I-NIST isebenzisa amasiginesha edijithali), okuvumela umhlaseli onokufinyelela kwasendaweni kusistimu ukuthi aphange i-firmware ye-BMC. Inkinga, isibonelo, ingasetshenziswa ukuhlanganisa ngokujulile i-rootkit ehlala isebenza ngemva kokufaka kabusha isistimu yokusebenza futhi ivimbe ukubuyekezwa okwengeziwe kwe-firmware (ukuze uqede i-rootkit, uzodinga ukusebenzisa umklami ukuze ubhale kabusha i-SPI flash).
Ukuba sengozini kwesibili kukhona kukhodi yokubuyekeza i-firmware futhi ikuvumela ukuthi umiselele eyakho imiyalo, ezosetshenziswa ku-BMC ngezinga eliphakeme kakhulu lamalungelo. Ukuze uhlasele, kwanele ukushintsha inani lepharamitha ye-RemoteFirmwareImageFilePath kufayela lokumisa le-bmcfwu.cfg, okunqunywa ngalo indlela eya esithombeni se-firmware ebuyekeziwe. Phakathi nesibuyekezo esilandelayo, esingaqalwa ngomyalo ku-IPMI, le pharamitha izocutshungulwa yi-BMC futhi isetshenziswe njengengxenye yekholi ye-popen() njengengxenye yomugqa we-/bin/sh. Njengoba umugqa wokukhiqiza umyalo wegobolondo udalwe kusetshenziswa i-snprintf() ikholi ngaphandle kokuhlanza kahle izinhlamvu ezikhethekile, abahlaseli bangashintsha ikhodi yabo ukuze bayenze. Ukuze usebenzise ubungozi, kufanele ube namalungelo akuvumela ukuthi uthumele umyalo kusilawuli se-BMC nge-IPMI (uma unamalungelo omlawuli kuseva, ungathumela umyalo we-IPMI ngaphandle kokuqinisekisa okwengeziwe).
UGigabyte noLenovo baziswe ngezinkinga emuva ngoJulayi 2018 futhi bakwazi ukukhipha izibuyekezo ngaphambi kokuthi imininingwane idalulwe esidlangalaleni. Lenovo inkampani izibuyekezo ze-firmware ngoNovemba 15, 2018 zamaseva we-ThinkServer RD340, TD340, RD440, RD540 kanye ne-RD640, kodwa zasusa ubungozi kuzo obuvumela ukushintshwa komyalo, kusukela ngesikhathi sokwakhiwa komugqa wamaseva asekelwe ku-MergePoint EMS ngo-2014, i-firmware. ukuqinisekiswa kwenziwa kusetshenziswa isiginesha yedijithali kwakungakasakazeki futhi akuzange kumenyezelwe ekuqaleni.
NgoMeyi 8 walo nyaka, uGigabyte ukhiphe izibuyekezo ze-firmware zamabhodi omama ngesilawuli se-ASPEED AST2500, kodwa njengeLenovo, ilungise kuphela ubungozi bokushintsha umyalo. Amabhodi asengozini asekelwe ku-ASPEED AST2400 ahlala engenazo izibuyekezo okwamanje. Gigabyte futhi mayelana nokushintshela ekusebenziseni i-firmware ye-MegaRAC SP-X esuka ku-AMI. Kubandakanya i-firmware entsha esekelwe ku-MegaRAC SP-X izonikezwa kumasistimu athunyelwe ngaphambilini nge-firmware ye-MergePoint EMS. Lesi sinqumo silandela isimemezelo se-Vertiv sokuthi ngeke isasekela inkundla ye-MergePoint EMS. Ngesikhathi esifanayo, akukho lutho olubikiwe mayelana nezibuyekezo ze-firmware kumaseva akhiqizwe yi-Acer, AMAX, Bigtera, Ciara, Penguin Computing kanye ne-sysGen esekelwe kumabhodi e-Gigabyte futhi ifakwe i-firmware ye-MergePoint EMS esengozini.
Masikhumbule ukuthi i-BMC iyisilawuli esikhethekile esifakwe kumaseva, esine-CPU yayo, inkumbulo, indawo yokugcina kanye ne-sensor polling interface, ehlinzeka ngesixhumi esibonakalayo esisezingeni eliphansi sokuqapha nokuphatha imishini yeseva. Usebenzisa i-BMC, kungakhathaliseki ukuthi isistimu yokusebenza esebenza kuseva, ungakwazi ukuqapha isimo sezinzwa, uphathe amandla, i-firmware namadiski, uhlele ukubhutha okukude ngenethiwekhi, uqinisekise ukusebenza kwekhonsoli yokufinyelela kude, njll.
Source: opennet.ru