Eclypsium researchers have discovered vulnerabilities affecting the firmware of both older and newer models of Supermicro server products. Researchers note these vulnerabilities do not directly put the safety of Supermicro products at risk since they can only be exploited through malware already present on the system.
However, it could possibly allow the malware to establish a near permanent presence within infected systems by obtaining the ability to survive OS re-installs and hiding in the firmware.
The newly discovered vulnerabilities affect the local firmware of the Supermicro products and allows threat actors to modify a computer code or a server’s most important code.
The first flaw discovered by Eclypsium in January was not found in the firmware’s code did not find any vulnerability in the firmware code, but the flaw was based the configuration of some on some of these Supermicro products that used come with firmware that uses an improper setting for the "Descriptor Region."
The Descriptor Region is a security feature of Intel-based chipsets that . which tells the chipset what areas of its own flash storage can be accessed by external parties are granted access to store data such as firmware or configuration files. Researchers discovered the flaw by testing descriptor access controls through runtime examination of various server firmware models.
They also found no anti-rollback protections for firmware images that could prevent attackers from replacing newer firmware with older ones that contain flaws.
"We have observed insecure firmware updates through runtime examination of various systems. This manual analysis uncovered that Supermicro X9DRi-LN4F+ and X10SLM-F systems did not securely authenticate firmware updates," the Eclypsium research team said. "We confirmed this result by intentionally modifying the binary in official Supermicro firmware images and observing that the system firmware still accepted and installed the modified package."
Supermicro systems do provide an anti-roll firmware feature for their X11 generation products as an option to back out of an update.
“However, if a security update was introduced, then an older and vulnerable version of firmware exists, and it is properly signed,” researchers noted. “In order to prevent updates that re-introduce a security vulnerability, some firmware will allow version downgrade only when an update is not marked as a security update.
“If a properly -signed update is provided but the newer version contains security fixes, the older version is rejected. We also tested Supermicro systems for anti-rollback protections by intentionally updating to an older BIOS. This worked without any trouble.”
Researchers said they notified Supermicro about their discoveries back in January. "Supermicro has been supportive of our efforts and prioritized understanding and mitigating the issues we have discovered," Eclypsium said. "For the current generation of products, Supermicro indicated that they have already implemented a signed firmware update for several products and are making this update generally available for all future systems.
"Similarly, for OEM customers who require rollback capability for their customized and locked firmware versions to ensure business continuity, Supermicro indicated that they are supporting anti-rollback as an option for their X11 generation firmware.
"The SPI flash descriptor is read-only on most boards and we are helping Supermicro identify specific models where this may be incorrectly set."