Penguin Computing™ Statement on Eclypsium Reporting of Vulnerable Firmware in Enterprise Servers
BMC vulnerabilities on ASpeed platform with MergePoint EMS by Avocent (now Vertiv)
Potential Impact: Information disclosure
Severity: Medium
Summary Description
Eclypsium researchers identified a firmware vulnerability on ASpeed BMC based platform with firmware from MergePoint EMS, by Avocent (now Vertiv) according to a published report.
With administrative privilege, two specific vulnerabilities were found in the BMC firmware would allow an attacker make persistent and malicious modification to the BMC firmware.
- The BMC firmware update process for MergePoint EMS does not perform cryptographic signature verification before accepting updates and writing the contents to SPI flash.
- The code in the BMC that performs the firmware update process itself contains a command injection vulnerability
Mitigation Strategy for Customers (i.e. what you should do to protect yourself)
Update to the firmware level (or later) described for your system in the Product Impact section.
If it is not feasible to update the firmware immediately, partial protection can be achieved by access control for users with administrative privileges.
Acknowledgement
Penguin Computing would like to thank Gigabyte and Eclypsium for reporting on this issue.
Product Impact
SERVER MODELS | FILENAME | CHECKSUM (MD5) | HOW TO OBTAIN FILE: |
---|---|---|---|
Relion XE1112 | 189.bin | a36b6110347ba3628c0654aefe9089ee | [email protected] |
Relion XE2112 | 189.bin | a36b6110347ba3628c0654aefe9089ee | [email protected] |
Relion XE2142 (BMC) | 189.bin | a36b6110347ba3628c0654aefe9089ee | [email protected] |
Relion XE2142 (CMC | 133.bin | 036794fa7e6d8e03d70fc47af5c9598b | [email protected] |
Relion XE4112 | 189.bin | a36b6110347ba3628c0654aefe9089ee | [email protected] |
Relion XE1114GT | 189.bin | a36b6110347ba3628c0654aefe9089ee | [email protected] |
Relion XE2112GT | 189.bin | a36b6110347ba3628c0654aefe9089ee | [email protected] |
Relion XE2118GT | 189.bin | a36b6110347ba3628c0654aefe9089ee | [email protected] |
Relion XE4118GT | 189.bin | a36b6110347ba3628c0654aefe9089ee | [email protected] |
Relion XE4118GTS | 189.bin | a36b6110347ba3628c0654aefe9089ee | [email protected] |
Relion XO1132g | 189.bin | a36b6110347ba3628c0654aefe9089ee | [email protected] |
Altus XE1111 | 189.bin | a36b6110347ba3628c0654aefe9089ee | [email protected] |
Altus XE2111 | 189.bin | a36b6110347ba3628c0654aefe9089ee | [email protected] |
Revision History
REVISION | DATE | DESCRIPTION |
---|---|---|
1 | 2019-07-19 | Initial Release |
Login to open a case or get documentation
CALL US
General questions:
1-415-954-2800
Tech support:
1-415-954-2800
EMAIL US
Tech support:
[email protected]
RMA requests or status:
[email protected]
POD HPC Cloud Support:
[email protected]