Menu
What's new
By:
Filters Better Search

The never ending story...

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

L&LD

L&LD

Part of the Furniture
arstechnica.com

Vulnerabilities in Supermicro BMCs could allow for unkillable server rootkits

With the ability to manage huge fleets of servers, BMCs are ideal places to stash malware.
arstechnica.com arstechnica.com

Not only are BMCs vulnerable (of course), but even 'super admins' don't feel they need to take the precautions they should.

Why should you update for security issues? Here's the poster child.

(I'm sure they were gunning for 'uptime' though). :)
 
L&LD said:
arstechnica.com

Vulnerabilities in Supermicro BMCs could allow for unkillable server rootkits

With the ability to manage huge fleets of servers, BMCs are ideal places to stash malware.
arstechnica.com arstechnica.com

Not only are BMCs vulnerable (of course), but even 'super admins' don't feel they need to take the precautions they should.

Why should you update for security issues? Here's the poster child.

(I'm sure they were gunning for 'uptime' though). :)
Click to expand...

Its ok, there is a plan in place for all these recent vulnerabilities.

1696481476109.png
 
L&LD said:
Not only are BMCs vulnerable (of course), but even 'super admins' don't feel they need to take the precautions they should.
Click to expand...

BMC's have always been problematic, as it the underlying interfaces (normally IPMI) - only recently have vendors started randomizing the default passwords, and there are many that are java-based for the KVM functionality that are based on very old versions of Java.

It's not just SuperMicro, it's all the vendors - HP, Dell, IBM/Lenovo, QCT, you name it...
 
sfx2000 said:
BMC's have always been problematic, as it the underlying interfaces (normally IPMI) - only recently have vendors started randomizing the default passwords, and there are many that are java-based for the KVM functionality that are based on very old versions of Java.

It's not just SuperMicro, it's all the vendors - HP, Dell, IBM/Lenovo, QCT, you name it...
Click to expand...

All these articles that call out a specific vendor or product, its like, yeah, that's the one for today, tomorrow it will be another, and another, etc.

This is why true security experts, consultants, etc will tell you the key is not trying to patch and protect every device/endpoint, but reducing your attack surface, layering security, and detecting issues before they do harm. That's why there's very good money in running an SOC with some competent personnel.

Actually the reason I'm steering away from Ubiquiti now is the latest versions of their Unifi management console require you to pick and use an open source version of Java, the official version is no longer supported. Apparently some confusion over licensing, they could have kept using it but thought it was moving to a paid model or something. But Java has enough issues without introducing open sourced versions into the mix. No thanks. I upgraded to the last controller version that didn't require it and stayed there until my last Unifi AP finally crapped out.

Hopefully they'll course-correct as their products are very good values for the money. Or maybe they just want everyone to pay for subscription based cloud management (coming full circle to our other discussion).
 
You must log in or register to reply here.

Similar threads

iunlock
The BEST 4-Bay QNAP for ~$1000 price range? TVS-471 the Top Pick? -OR- Jump to the 6-Bay TVS-671?
Replies
15
Views
8K
stevech
S
Similar threads
Thread starter Title Forum Replies Date
L&LD iPhone offer privacy? No, never. General Network Security 6

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 622 (members: 27, guests: 595)
Top