Security researchers with Eclypsium, a firm created by two former Intel executives that specializes in rooting out vulnerabilities in server firmware, have uncovered vulnerabilities affecting the firmware of Supermicro servers. Fortunately, it’s not easily exploited.
The good news is these vulnerabilities can be exploited only via malicious software already running on a system. So, the challenge is to get the malicious code onto the servers in the first place. The bad news is these vulnerabilities are easily exploitable and can give malware the same effect as having physical access to this kind of system.
“A physical attacker who can open the case could simply attach a hardware programmer to bypass protections. Using the attacks we have discovered, it is possible to scale powerful malware much more effectively through malicious software instead of physical access,” Eclypsium said in a blog post announcing its findings.
What are the Supermicro vulnerabilities?
The first of the flaws is in the configuration of some Supermicro products, rather than with the firmware. The problem lies with a setting known as Descriptor Region, a feature in Intel chipsets that tells the chipset what areas of its own flash storage can accessed by third parties.
According to Eclypsium, by insecurely configuring the descriptor, malicious software with administrative privilege in the host OS may be allowed to modify the contents of firmware code and data that the host processor would otherwise never need to directly read or write. The problem, which Supermicro confirmed, dates back to products from 2008.
The next problem is in the UEFI system, which handles firmware updates to the server. In order to install updates, the UEFI specification has standardized a mechanism for storing and processing updates as a “capsule” that is presented to firmware during the boot process. This is to keep malware from nosing its way into the upgrade process.
Eclypsium said it has observed insecure firmware updates through runtime examination of various systems, such as several models that did not securely authenticate firmware updates. Researchers were able to download a standard firmware update, change the code to one of the modules, and successfully apply it to systems using the standard update tools. This would allow for malicious code to be introduced into the firmware.
The Eclypsium team also noted there were no anti-rollback protections for installing older firmware images. It found that some updates were not properly signed, so older versions could be installed over newer firmware, something that should not have been allowed. An attacker might want to install an older firmware that has a known vulnerability so they can then exploit it; that’s why older firmware are not allowed to be installed.
The Eclypsium post goes into great detail on how to mitigate the Supermicro vulnerabilities, which I will leave to you to read. I reached out to Supermicro, and they had no comment other than to say the team has been working very closely with Eclypsium regarding the vulnerabilities from their initial discovery until now.