supermicro Severe Firmware Vulnerabilities Found In Popular Supermicro Server Products

[arjhargjhargkhs.rkhljhsr]

https://it.slashdot.org/story/18/06/07/2127248/severe-firmware-vulnerabilities-found-in-popular-supermicro-server-products

 

Security researchers have uncovered vulnerabilities affecting the firmware of Supermicro server products.

Discovered by the Eclypsium team, these vulnerabilities affect both older and newer models of Supermicro products, but the vendor is working on addressing the issues.

These vulnerabilities do not put the safety of Supermicro products at direct risk, as they can only be exploited via malicious software/code (aka malware) already running on a system. Nevertheless, exploiting these vulnerabilities allows the malware to obtain an almost permanent foothold on infected systems by gaining the ability to survive server OS reinstalls by hiding in the hardware's firmware.

 

Malware can modify Descriptor Region settings

The first of the flaws uncovered by Eclypsium researchers is not an actual vulnerability in the firmware's code, but in the configuration of some Supermicro products.

Researchers say that some of these products come with firmware that uses an improper setting for the "Descriptor Region."

The Descriptor Region is a security feature of Intel-based chipsets. This setting tells the chipset what areas of its own flash storage external parties can access to store data such as firmware or configuration files.

According to Eclypsium researchers, some Supermicro products had an incorrectly set Descriptor Region that allowed software running on the OS (such as malware) to modify the Descriptor Region and then tamper with local firmware.

 

"Eclypsium researchers have observed vulnerable descriptor access controls through runtime examination of various server firmware models," the Eclypsium team wrote in a report published today.

"This manual analysis uncovered multiple server models that allowed writes to the flash descriptor from host software. According to Supermicro, some of the products we reviewed date back to 2008 and are currently EOL and no longer supported."

No firmware authentication for some products

But while modifying the Descriptor Region setting may be possible on some Supermicro products, tampering with the local firmware isn't as easy as it sounds, as several security mechanisms prevent malicious actors from altering a computer or server's most important code.

Here is where the second series of issues that the Eclypsium team discovered came into play.

"We have observed insecure firmware updates through runtime examination of various systems. This manual analysis uncovered that Supermicro X9DRi-LN4F+ and X10SLM-F systems did not securely authenticate firmware updates," the research team said.

"We confirmed this result by intentionally modifying the binary in official Supermicro firmware images and observing that the system firmware still accepted and installed the modified package."

No firmware rollback protection

But the issues didn't stop here, and the Eclypsium team also noted a lack of anti-rollback protections for firmware images.

This anti-rollback protection is crucial for situations where the vendor checks for firmware authenticity.

A firmware anti-rollback protection would prevent attackers from replacing newer firmware with an older (legitimate) firmware image that contains flaws that attackers can exploit and gain a foothold on all-of-a-sudden vulnerable systems.

Supermicro working on fixes

Eclypsium says it notified Supermicro about all the issues they discovered in the firmware of their products back in January.

"Supermicro has been supportive of our efforts and prioritized understanding and mitigating the issues we have discovered," Eclypsium says,

"For the current generation of products, Supermicro indicated that they have already implemented a signed firmware update for several products and are making this update generally available for all future systems.

"Similarly, for OEM customers who require rollback capability for their customized and locked firmware versions to ensure business continuity, Supermicro indicated that they are supporting anti-rollback as an option for their X11 generation firmware.

"The SPI flash descriptor is read-only on most boards and we are helping Supermicro identify specific models where this may be incorrectly set."

Impacted models

For owners of Supermicro server hardware, Eclypsium has released instructions on how to check the descriptor access controls of their own systems.

These procedures require installing and running the CHIPSEC Framework, a tool co-created by one of Eclypsium founders while working for Intel. All the server owner has to do is to run the following command:

chipsec_main -m common.spi_access

If this test fails, then the current descriptor values offer no protection, because they can be changed.

If an attacker were to exploit insecure firmware updates, the obvious goal would be to somehow alter the firmware. This enables very stealthy and persistent malware that can bypass many security controls. However, it may be possible to detect such malware (if it has not taken explicit steps to prevent this).

To defend against these attacks, it is possible to collect hashes of firmware modules. These can be validated against a whitelist from firmware provided by the vendor. If unexpected changes are discovered, expert analysis will be needed to manually assess them.

Bleeping Computer has sent a request for comment to Supermicro days before this article's publication. We asked Supermicro to confirm the Eclypsium research and inquired for a list of Supermicro platforms affected by the reported security issues, but we have not heard back before this article's publication time.

Until Supermicro responds or publishes an official security advisory with a list of affected models, Eclypsium CEO and Founder Yuriy Bulygin was kind enough to share with Bleeping Computer the list of Supermicro products they believe to be affected.

"For the missing UEFI update protections, it appears that a majority or all of X8, X9, X10 generation server products, and a majority of X11 generation server products are affected," Bulygin told Bleeping Computer via email. "We don’t know exact number of affected models but we found 1184 unique firmware images for at least 233 unique X8-X11 server models."

"For the flash descriptor issue we found close to 500 firmware images with this issue which translates to about 110 different models (some of them may be old). The list is below:"

X11SSZ

X11SSV

X11SSQL

X11SSQ

X11SSN

X11SRM

X11SRA

X11SBA

X11SAT

X11SAE_M

X11SAE

X10SRW

X10SRM

X10SRL

X10SRI

X10SRH

X10SRG

X10SRD

X10SRA

X10SDVT

X10SDVF

X10SDE

X10SDDF

X10SBA

X10QRH

X10DSN

X10DSCP

X10DSC

X10DRX

X10DRWN

X10DRW

X10DRUX

X10DRUL

X10DRU

X10DRTS

X10DRTPS

X10DRTL

X10DRTH

X10DRTB

X10DRT

X10DRS

X10DRLN

X10DRLC

X10DRL

X10DRI1

X10DRH4

X10DRH

X10DRGO

X10DRGH

X10DRG

X10DRFR

X10DRFG

X10DRFF

X10DRDL

X10DRD

X10DRC

X10DGO

X10DDWN

X10DDWI

X10DDW4

X10DDW3

X10DAX

X10DALI

X10DAL

X10DAI

B10DRT

B10DRI

B10DRG

X9SAE

X9DRTH

X9DRGQF

X9DRFFP

X9DRF

X9DBL

X8SIU

X8SIT

X8SIL

X8SIE

X8SIA

K1SPI

K1SPES

C9X299

C7Z97OC

C7Z97MF

C7Z87OC

C7Z370L

C7Z370I

C7Z270P

C7Z270M

C7Z270L

C7Z270CG

C7Z270C

C7Z170OCE

C7Z170O

C7Z170

C7X99OC

C7Q270

C7H270

C7B250

B1SD2TF

B1SA4

B1DRI

A2SAV

A2SAP

A2SAN

A1SRM

A1SAM

A1SAI1

A1SAI

A1SA

 

ALL Credit goes to its original authors

 

https://blog.eclypsium.com/2018/06/07/firmware-vulnerabilities-in-supermicro-systems/

https://it.slashdot.org/story/18/06/07/2127248/severe-firmware-vulnerabilities-found-in-popular-supermicro-server-products

https://www.bleepingcomputer.com/news/security/firmware-vulnerabilities-disclosed-in-supermicro-server-products/

 

 

[W-L]

@Ethan Cahill The thread has been merged and moved to the Servers and NAS section as it doesn't meet the requirements of the Tech News Section. Once updated it may be eligible to be reinstated there. 

 

-Related Threads Merged-