from Hacker News

Hackable Intel and Lenovo hardware went undetected for 5 years

by tmalsburg2 on 4/11/24, 7:46 PM with 12 comments

  • by transpute on 4/12/24, 1:09 AM

    > With no fixes available from Intel or Lenovo, there’s not much users of these affected hardware can do. It’s worth mentioning explicitly, however, that the severity of the lighttpd vulnerability is only moderate and is of no value unless an attacker has a working exploit for a much more severe vulnerability.

    For unsupported but functional hardware with vulnerable BMCs, it would be helpful to have a toolkit (e.g. stacking multiple exploits) for hardware owners to replace the vulnerable software with OpenBMC, https://github.com/openbmc/openbmc.

    Abandoned hardware owners could crowdfund an effort to add OpenBMC compatibility testing for their devices. This also falls under the rubric of repairability technology and a circular economy for electronics.

  • by c_o_n_v_e_x on 4/12/24, 6:47 AM

    Former server product manager here.... small nitpick. AMI does not manufacture BMC chipsets. They develop the firmware (like AMI MegaRAC SP-X) that is loaded into the BMC.

    I've never heard of AETN before? I thought maybe they could be Insyde, a competitor to AMI, out of Taiwan, who also develops BMC firmware, but could not find a connection with "AETN." Phoenix is another BMC firmware developer although they've been focusing on OpenBMC.

    ASPEED out of Taiwan is huge in the BMC chip business. There are some new FPGA based implementations for BMC / BMC-like cards based on standards that have come out of the open compute group... pretty cool stuff.

  • by hulitu on 4/12/24, 7:39 AM

    If you insert enogh backdoors,, some of them will remain undetected.

  • by m463 on 4/12/24, 4:53 AM

    I expect if you hook a machine up through an on-board ethernet port, it might be vulnerable.

    Can you really prevent this with a bios setting?

    would using a 3rd party (pcie or usb) ethernet adapter prevent it?

  • by 3np on 4/12/24, 7:03 AM

    I would always treat the BMC authentication as an additional layer of defense. That is, don't expose it on untrusted networks in the first place.

  • by effluvium on 4/11/24, 11:45 PM

    "Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected. ... BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. ... In general, BMCs should be enabled only when needed and locked down carefully, as they allow for extraordinary control of entire fleets of servers with simple HTTP requests sent over the Internet."

    For personal computing, any recommendations on motherboard manufacturers who take security seriously?