Well, I'm sure both users of Supermicro servers will be glad to hear there's a fix.
Researchers claim to have discovered an exploitable flaw in the baseboard management controller (BMC) hardware used by Supermicro servers. Security biz Eclypsium today said a weakness in the mechanism for updating a BMC's firmware could be abused by an attacker to install and run malicious code that would be extremely …
Friday 7th September 2018 08:50 GMT Chris Hills
Friday 7th September 2018 09:43 GMT Christian Berger
Friday 7th September 2018 14:25 GMT Spazturtle
Re: Is this a good fix?
AMD server CPUs are not hardware locked, the ability to overclock them is locked in the motherboards firmware. People have been buying supermicro boards for years so that they can flash a custom firmware and overclock AMD server CPUs. Would hate to see this niche hobby die off.
Thursday 4th October 2018 17:27 GMT Anonymous Coward
28 Days Later... have Bloomberg just picked up on this?
As title. Have Bloomberg just spotted this, rehashed it without understanding al the proper hashtags (e.g. pencil tip, eclypsium), and the vulnerable readers and writers of the mass market media are lapping it up?
Or are the two concepts unrelated?
Thursday 4th October 2018 17:51 GMT A Known Coward
Re: 28 Days Later... have Bloomberg just picked up on this?
The bloomberg article, for which they have 17 well placed sources - inside Amazon, Apple and the US government is that they discovered three years ago that Supermicro boards had been modified at the production line in china with the addition of a tiny chip which added a backdoor to the system. What's missing from the article is the sort of technical detail we would all like.
Friday 5th October 2018 18:31 GMT Anonymous Coward
Re: "17 well placed sources - inside Amazon, Apple and the US government"
O'Really? Would that by any chance be these people:
"Two Amazon employees
Three Apple employees
Six intelligence agencies officials
Six other people that Bloomberg says confirmed various different aspects of the story"
" The entire story may hinge on that report that Bloomberg claims exists and Amazon denies."
Both quotes are from a very reputable source (even more reputable than Apple's tax imagineers):
Sorry, I'm not buying the original Bloomberg 'story' yet, it sounds rather like someone may have misunderstood a poor explanation of how SPI flash (or similar) works (or doesn't), especially when it comes in very small chips the size of a pencil tip, which are bigger inside than they are outside, and which can sometimes be manipulated in inconvenient ways without much visibility at the time.