BMC Firmware Errors on Gigabyte and Lenovo Servers

Get a free Techzine subscription!

Gigabyte and Lenovo released firmware updates for some of their server motherboards after security risks were found in MergePoint EMS, in the firmware of a component of the motherboards. Two different bugs combined with end-of-life and a complex supply chain make patching rather complex, reports ZDNet.

Both Lenovo and Gigabyte use MergePoint EMS as the baseboard management controller (BMS) software used by the companies’ server motherboards. The firmware contained two errors that caused vulnerabilities. The BMC is a stand-alone unit with a small processor, memory and LAN interface, which enables services such as IPMI, allowing you to access the server remotely without having to run any software on it. The complete screen output, keyboard and mouse can be displayed via IPMI.

The security problems found were on the one hand that there is no cryptographically safe update process, which means that with every attack by hackers who have access to an infected device, the firmware can be overwritten without resistance. On the other hand, there was a security problem with entering commands, which means that an attacker can run malicious code on a host that runs the MergePoint EMS firmware. Both problems are conditional on attackers having already gained access to a device, so remote servers cannot be attacked via these security risks.

Patches

Both Lenovo and Gigabyte have come up with patches to solve the problems. Lenovo already released a firmware update in 2018 that solved only the second mentioned vulnerability. According to Lenovo, cryptographically secure firmware updates were not the standard in 2014, when the MergePoint EMS firmware was first used in their BMCs. Products affected by this problem will therefore reach end-of-life without solving the problem.

Like Lenovo, Gigabyte doesn’t patch the problem with firmware updates, the other problem was fixed in May, but unlike Lenovo, this was done without an official message about the how and why. Gigabyte did announce that the MergePoint EMS will no longer be used and will switch to AMI-based firmware for server motherboards. Unfortunately, Gigabyte’s motherboards have also been used in third-party servers from other vendors, which means that users have to find out which BMC controller and which firmware their device is using to make sure they are not at risk from security.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.