zlacker

[return to "Supermicro server motherboards can be infected with unremovable malware"]
1. xenadu+d3c[view] [source] 2025-09-29 02:10:02
>>zdw+(OP)
If you've never used the BMC on a server... it is all 100% garbage. Software mostly written by embedded folks who haven't got a clue. It is absolutely garbage software on the whole (and no matter what vendor you get the board from). Go ahead and hit up the web interface then do a bit of "View Source". If you are imagining the rest of that stack is any better than my friend have I got a Beautiful Bridge in Brooklyn to sell you!

If it were me I'd assume the majority of BMC firmware out there from all vendors: 1. Is full of many many exploitable vulnerabilities 2. To the extent they patch holes it will be whack-a-mole because the economics do not permit large investments in software quality. 3. Many server owners will never install a patch anyway.

◧◩
2. preiss+Vvc[view] [source] 2025-09-29 08:41:16
>>xenadu+d3c
There is the open source OpenBMC software nowaydays, which is pretty good.

Unfortunately, Supermicro doesn't use it yet for most of their servers. Probably because they sell an extremely expansive license for their own software so you can use the Redfish API.

◧◩◪
3. gpapil+2Kc[view] [source] 2025-09-29 11:33:54
>>preiss+Vvc
The one vendor mentioned in the comments, AMI, is switching this code base to openbmc. Also it should be noted that often this software is system specific.
[go to top]