SuperMicro BMC Issue
Securing the Network Interface to IPMI is a straightforward security fix
Bloomberg Businessweek published a news report that Super Micro assembly contractors in China have reportedly secretly added additional hardware to motherboards that could compromise a system.
The reports mention that intelligence agencies as well as specific large corporations including Apple and Amazon were targeted and shipped compromised motherboards. Apple, Amazon and Supermicro quickly issued statements roundly denying that any Supermicro servers / motherboards were compromised with malicious chips or hardware modification. Here are the statements from Amazon, Apple and Supermicro:
I – Arxys does not feel the Bloomberg article is credible given the powerful denials by Apple and Amazon and its history with Supermicro.
The Bloomberg report only lists unnamed sources, but explicitly names Apple and Amazon as being affected in a major way by the alleged Supermicro hacked motherboards. Both Apple and Amazon refute Bloomberg story providing explicit details. Apple and Amazon even go further stating that on numerous occasions they informed Bloomberg that their story was erroneous.
Apple and Amazon are highly dis-incentivized to misrepresent the facts in this matter. The consequences of misrepresentation far outweigh any benefit Apple and Amazon would receive from denying a three-year-old issue that according to the article was resolved and is no longer a threat.
Super Micro also refutes the Bloomberg article. Arxys has been doing business with Super Micro for over 20 years. During those 20 years Super Micro has acted ethically and been a valued partner in in assisting Arxys in providing custom storage solutions to its customers. Super Micro was founded in Taiwan and is now headquarters in San Jose it is not a “Chinese” company any more than HP is a Chinese company. Today the majority of motherboards are made in China.
II – Assuming the Bloomberg article is correct and motherboards were indeed modified, Arxys does not believe any modified motherboards were delivered to Arxys and subsequently shipped to Arxys end users.
Bloomberg article mentions that the Chinese targeted motherboards that were being delivered to specific end users. Super Micro is one of the world’s largest and respected motherboard / server manufacturers. It is the 3rd largest supplier of servers in the world. It would be impossible for every Super Micro motherboard manufactured to be compromised. Had a majority of Super Micro motherboards been affected the modifications would have been discovered quickly as stated in the link below:
“One of the more interesting bits is that if it is a BMC vulnerability or anything that “phones home” over a network interface, one would expect that security researchers would have seen it. There are companies that put boxes on networks just to see what network traffic they create. Supermicro tends to build common designs that it ships to multiple customers. It would be slightly interesting if only some Supermicro servers, e.g. for certain customers were impacted. If China did not do this, it would have been caught earlier. If China did limit to a few customers, it would be difficult to target them at PCB. As we will show shortly, Supermicro PCBs are used across products.”
Arxys does not purchase hardware directly from Super Micro. Arxys acquires Super Micro hardware from various distributors. No one at Super Micro knows who Arxys’ end users are. We believe that the likelihood of Arxys being specifically targeted is extremely low and by extension Arxys’ customers.
III – The Bloomberg article and commenting industry analysts indicate that the hardware in the affected systems are Super Micro’s MicroBlade systems.
Arxys does not currently utilize any MicroBlade systems in any Arxys products. The Super Micro motherboards utilized in Arxys products are standard ATX and E-ATX form factor motherboards.
IV – Assuming the reports are accurate and that an Arxys end user has a modified system, the attached procedure can alleviate the hack as described by Bloomberg.
Very little is known as to the specifics of the hack. Assuming the reports are accurate, the reported compromised motherboards have additional hardware that could possible allow the BMC to be remotely controlled. The BMC is used for remote management via IPMI. The reported hack requires network access, more important, internet access to really do any damage. We believe the risk for Esri customers to be extremely low as to our knowledge none of the Arxys supplied storage solutions should be directly connected to the internet. Attached is a brief outline with instructions on how best to secure BMC access via IPMI access over networks. The best way to do this is to physically unplug the IPMI interface from any network.
Articles referencing the latest news on the SuperMicro IPMI