Researchers at Eclypsium disclosed vulnerabilities discovered on the BMC firmware used by Lenovo and Gigabyte servers. This vulnerability can be used to embed a malicious program into the firmware, making it difficult to detect or persist after the hard disk is formatted. But to exploit the vulnerability, the attacker needs to have administrator privileges.
The vulnerability exists in Vertiv’s MergePoint EMS Baseboard Management Controller (BMC) firmware, which is used in Lenovo’s server products and Gigabyte’s server boards. The researchers reported to Lenovo in July 2018, and the Lenovo released the patch in November last year; in March this year, a vulnerability was discovered in the same firmware of Gigabyte’s motherboard.
The researchers found two problems, such as the lack of cryptographic signature checking before the firmware update, so that the attacker can install malicious firmware. “Second, there is a shell-command-injection vulnerability, designated CVE-2018-9086, in Vertiv’s firmware. If you don’t fancy crafting malicious BMC firmware images to install via the first vulnerability, CVE-2018-9086 will let you inject shell commands directly into the Linux environment running on the BMC via its update mechanism, and alter its software and scripts that way.”