back to article Supermicro wraps crypto-blanket around server firmware to hide it from malware injectors

Researchers claim to have discovered an exploitable flaw in the baseboard management controller (BMC) hardware used by Supermicro servers. Security biz Eclypsium today said a weakness in the mechanism for updating a BMC's firmware could be abused by an attacker to install and run malicious code that would be extremely …

  1. Anonymous Coward
    Anonymous Coward

    Well, I'm sure both users of Supermicro servers will be glad to hear there's a fix.

    1. Destroy All Monsters Silver badge

      Lolwhat?

  2. Chris Hills

    Is this a good fix?

    When I buy IT products, I despise not having control of them. Limiting updates to the manufacturer enforces lock-in and obsolescence. There is a middle-ground where-by a physical jumper could be provided when an update is to be applied.

    1. Christian Berger

      Of course it's not

      I mean attackers will just demand those keys from Supermicro in order to get their malware running.

      1. Christian Berger

        Re: Of course it's not

        And then of course, other attackers will get the keys from the attackers who were in the position to demand them from Supermicro.

    2. GnuTzu

      Re: Is this a good fix?

      Ah, to be among the few with some nostalgia for jumpers.

    3. Spazturtle Silver badge

      Re: Is this a good fix?

      AMD server CPUs are not hardware locked, the ability to overclock them is locked in the motherboards firmware. People have been buying supermicro boards for years so that they can flash a custom firmware and overclock AMD server CPUs. Would hate to see this niche hobby die off.

  3. Nano nano

    No BMC jokes ?

    Morris Marina ...

    1. Thunderpants
      Joke

      Re: No BMC jokes ?

      "Morris Marina"

      Shirley the "quartic" steering wheel of the Allegro was even funnier?

  4. Anonymous Coward
    Anonymous Coward

    28 Days Later... have Bloomberg just picked up on this?

    As title. Have Bloomberg just spotted this, rehashed it without understanding al the proper hashtags (e.g. pencil tip, eclypsium), and the vulnerable readers and writers of the mass market media are lapping it up?

    https://www.telegraph.co.uk/technology/2018/10/04/apple-amazon-deny-report-chinese-spy-chips-used-infiltrate-networks/

    Or are the two concepts unrelated?

    1. A Known Coward

      Re: 28 Days Later... have Bloomberg just picked up on this?

      The bloomberg article, for which they have 17 well placed sources - inside Amazon, Apple and the US government is that they discovered three years ago that Supermicro boards had been modified at the production line in china with the addition of a tiny chip which added a backdoor to the system. What's missing from the article is the sort of technical detail we would all like.

      https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

      1. Anonymous Coward
        Anonymous Coward

        Re: "17 well placed sources - inside Amazon, Apple and the US government"

        O'Really? Would that by any chance be these people:

        "Two Amazon employees

        Three Apple employees

        Six intelligence agencies officials

        Six other people that Bloomberg says confirmed various different aspects of the story"

        " The entire story may hinge on that report that Bloomberg claims exists and Amazon denies."

        Both quotes are from a very reputable source (even more reputable than Apple's tax imagineers):

        https://www.theregister.co.uk/2018/10/04/supermicro_bloomberg/?page=3

        Sorry, I'm not buying the original Bloomberg 'story' yet, it sounds rather like someone may have misunderstood a poor explanation of how SPI flash (or similar) works (or doesn't), especially when it comes in very small chips the size of a pencil tip, which are bigger inside than they are outside, and which can sometimes be manipulated in inconvenient ways without much visibility at the time.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like