Connect with us

Hi, what are you looking for?



BMC Firmware Vulnerabilities Affect Lenovo, Gigabyte Servers

Researchers at firmware security company Eclypsium discovered that the baseboard management controller (BMC) shipped with some servers from Lenovo, Gigabyte and other vendors contains some potentially serious vulnerabilities.

Researchers at firmware security company Eclypsium discovered that the baseboard management controller (BMC) shipped with some servers from Lenovo, Gigabyte and other vendors contains some potentially serious vulnerabilities.

The BMC is a small computer present on a majority of server motherboards. A component of the Intelligent Platform Management Interface (IPMI), it allows administrators to remotely control and monitor a server without having to access the operating system or applications running on it. Admins can use the BMC to reboot a device, install an operating system, update the firmware, monitor system parameters, and analyze logs.

While the capabilities provided by the BMC can be highly useful, the system also introduces security risks, with several attacks demonstrated in the past by experts.

Eclypsium researchers discovered flaws in the BMC firmware while analyzing a Lenovo ThinkServer RD340 server. Further analysis revealed that the vulnerable firmware was sourced as a third-party product called MergePoint EMS, made by Vertiv (formerly Avocent), which is also used by many Gigabyte Enterprise Servers.

The vulnerabilities also made their way into firmware present on motherboards provided by Gigabyte to other companies for their own servers, including Acer, Amax, Bigtera, Ciara, Penguin Computing and sysGen.

“This highlights an important challenge for the industry. Most hardware vendors do not write their own firmware and instead rely on their supply chain partners,” Eclypsium explained. “Firmware is quite commonly licensed from a third party and used with little modification, allowing vulnerabilities to extend to many different brands and products. To adapt, manufacturers must thoroughly test any firmware they license for vulnerabilities. Likewise, enterprise security teams should perform security scans of device firmware as part of accepting any new piece of hardware.”

Eclypsium researchers have identified two types of BMC firmware vulnerabilities. One of them is related to the fact that the firmware update process does not check an update’s cryptographic signature before accepting it and writing it to the SPI flash memory. The second issue is that the code responsible for the firmware update process contains a vulnerability that can be exploited for command injection.

Advertisement. Scroll to continue reading.

An attacker who has elevated privileges on the host can exploit these flaws to execute malicious code in the BMC as root and modify the content of the BMC memory. This allows them to maintain persistence across reinstallation of the operating system, and prevent other firmware updates. The only way to recover from these attacks is to physically reflash the SPI chip, Eclypsium says.

“Because IPMI communications can be performed over the BMC LAN interface, this update mechanism could be exploited remotely if the attacker has been able to capture the administration password for the BMC. This is particularly likely in the case of IPMI group managed systems where all members of the group share the same administration credentials,” the company warned.

Lenovo has confirmed the existence of the command injection vulnerability (tracked as CVE-2018-9086) and released patches for impacted ThinkServer servers. Gigabyte has also released a patched firmware version, but only for one of the two affected versions. Vertiv, on the other hand, did not respond to the security firm’s communications.

Related: Hackers Can Plant Backdoors on Bare Metal Cloud Servers

Related: Servers Can Be Bricked Remotely via BMC Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.