Supermicro server motherboards can be infected with unremovable malware | Poal: Say what you want.

Welcome • User Guide
ToS • Privacy • Canary
Donate • Bugs • License

©2025 Poal.co

1.1K

•

Supermicro server motherboards can be infected with unremovable malware (arstechnica.com)

Something to consider if buying used hardware.

Archive: https://archive.today/EFbFF

From the post:

>Servers running on motherboards sold by Supermicro contain high-severity vulnerabilities that can allow hackers to remotely install malicious firmware that runs even before the operating system, making infections impossible to detect or remove without unusual protections in place. One of the two vulnerabilities is the result of an incomplete patch Supermicro released in January, said Alex Matrosov, founder and CEO of Binarly, the security firm that discovered it. He said that the insufficient fix was meant to patch CVE-2024-10237, a high-severity vulnerability that enabled attackers to reflash firmware that runs while a machine is booting. Binarly discovered a second critical vulnerability that allows the same sort of attack.

Something to consider if buying used hardware. Archive: https://archive.today/EFbFF From the post: >>Servers running on motherboards sold by Supermicro contain high-severity vulnerabilities that can allow hackers to remotely install malicious firmware that runs even before the operating system, making infections impossible to detect or remove without unusual protections in place. One of the two vulnerabilities is the result of an incomplete patch Supermicro released in January, said Alex Matrosov, founder and CEO of Binarly, the security firm that discovered it. He said that the insufficient fix was meant to patch CVE-2024-10237, a high-severity vulnerability that enabled attackers to reflash firmware that runs while a machine is booting. Binarly discovered a second critical vulnerability that allows the same sort of attack.

(post is archived)

[–] • 1 pt

Used HW is one of those things that I suggest contrary to - no provenance and thus no positive control of the supply chain. That said, buying new doesn't necessarily mean positive control either but I'd be more willing advocate for new. We can only do so much to ensure some level of cognizance of the HW builds, and industry is still struggling, but making some progress to identifying, enumering and socializing CPEs (Common Platform Enumerations) of known fuckery that could introduce an issue.

The flip-side is an educated user-base that actually knows the shit they buy and deploy; tracks known issues and implements mitigating controls. Know your supply chain - BOM that shit.

link

[–] • 3 pts

Yep. Cisco famously setup extremely complex shipping protocols for some clients (that paid more for it) specifically to avoid USA's Tailored access operations (TAO) intercepting the hardware in transit and either modifying the hardware entirely or replacing the firmware with a intentionally hijacked firmware.

parent
link

[–] • 1 pt

It’s not compatible with DEI.

parent
link