"Firmware Flaws Could Spell 'Lights Out' for Servers"

Five vulnerabilities in the Baseboard Management Controller (BMC) firmware used in servers from at least 15 major vendors allow the remote compromise of systems in data centers and for cloud services. Two of the vulnerabilities, disclosed this week by the hardware security firm Eclypsium, exist in System-on-Chip (SoC) computing platforms that use AMI's MegaRAC BMC software for remote management. Eclypsium disclosed three of the vulnerabilities in December 2022, but withheld information on two additional vulnerabilities until recently in order to provide AMI with extra time to address the issues. BMCs are typically a single chip on a motherboard that enables administrators to manage servers remotely. The vulnerabilities could affect manufacturers, including AMD, Asus, ARM, Dell, EMC, Hewlett-Packard Enterprise, Huawei, Lenovo, and Nvidia. According to Nate Warfield, director of threat research and intelligence at Eclypsium, since the vulnerabilities can only be exploited if the servers are directly connected to the Internet, it is difficult to determine the scope of the vulnerabilities. This article continues to discuss the vulnerabilities found in the BMC software used by major vendors. 

Dark Reading reports "Firmware Flaws Could Spell 'Lights Out' for Servers"