Author Topic: Firmware Bugs Plague Server Supply Chain, 7 Vendors Impacted  (Read 20 times)

Offline Hardhead

  • Administrator
  • Hero Member
  • *****
  • Posts: 867
    • View Profile
Author: Tom Spring
July 17, 2019 1:43 pm

Lenovo, Acer and five additional server manufacturers are hit with supply-chain bugs buried in motherboard firmware.

Two firmware vulnerabilities impacting Lenovo, Acer and five additional server brands allow adversaries to brick servers, run arbitrary code on targeted systems and maintain a persistent foothold – surviving even an operating system reinstallation.

The bugs are tied to Gigabyte motherboards used in the vulnerable servers. The culprit is firmware for a motherboard component called a Baseboard Management Controller (BMC), which is used for subsystem management and monitoring. Server-makers using the vulnerable BMC firmware are Lenovo, Acer, AMAX, Bigtera, Ciara, Penguin Computing and sysGen.

The common thread connecting each of the server brands is the use of two specific motherboard SKUs made by Gigabyte, according to researchers at Eclypsium who first identified the bugs and publicly disclosed their findings Tuesday.