Posted on 2018/06/11
On the 8th June, an article was published on www.bleepingcomputer.com relating to the security of Supermicro’s motherboard BIOS and firmware.
The article explains that Supermicro does not currently operate a security system to prevent BIOS/firmware updates from unauthorised sources, meaning potentially any code could be installed.
We at Boston labs approached Supermicro for comment, and in response, Supermicro provided the below update which has also been posted to their website. This explains the findings a little further and details their plans to address these potential vulnerabilities.
UPDATE (June 8, 2018):
A 3rd party security firm who has been testing the BIOS/Firmware security of our systems. They recently published the results of that effort and we have introduced fixes to the issues raised in the blog. There are three different security areas identified in the blog.
1. Read/Write versus Read Only Firmware/Flash Descriptor Table
This issue does not affect the latest generation of X11 or earlier generation X9 products, but X10 products are impacted. We do not believe this issue will impact any customers data but could make the system non-operational.
For the affected platforms we will be rolling out the fix along w/ the latest Spectre/Meltdown (Intel-SA-00115) firmware update. These combined updates will be rolling out over the next few weeks. Please check the status of individual updates below. We are combining this update with the fix for the latest Spectre/Meltdown BIOS to minimize the number of reboots and BIOS updates required.
2. The two other issues raised in the article are new security features (cryptographically signing the BIOS and limiting BIOS downgrades in cases of a critical security patch). We are already shipping these features for some customers and for all new platforms moving forward these features are enabled.
Due to issues of backward compatibility, we are making the upgrade to these new features optional for existing systems. For customers with existing platforms please contact your sales representative or associated product manager to determine if upgrading the features for software signing and limited rollbacks on your existing systems are appropriate. A new BIOS with these features enabled will be required. Availability of the BIOS will be based on demand.
BIOS and Firmware security have become a growing challenge for the industry. We highly recommend customers update BIOS and Firmware on their systems on a regular basis as these new vulnerabilities are addressed.
If you have any questions about this, please do get in contact with us for further details.
We’ll be keeping a close eye on developments as they unfold and will post any further updates as we receive them.