zlacker

[return to "Supermicro server motherboards can be infected with unremovable malware"]
1. xenadu+d3c[view] [source] 2025-09-29 02:10:02
>>zdw+(OP)
If you've never used the BMC on a server... it is all 100% garbage. Software mostly written by embedded folks who haven't got a clue. It is absolutely garbage software on the whole (and no matter what vendor you get the board from). Go ahead and hit up the web interface then do a bit of "View Source". If you are imagining the rest of that stack is any better than my friend have I got a Beautiful Bridge in Brooklyn to sell you!

If it were me I'd assume the majority of BMC firmware out there from all vendors: 1. Is full of many many exploitable vulnerabilities 2. To the extent they patch holes it will be whack-a-mole because the economics do not permit large investments in software quality. 3. Many server owners will never install a patch anyway.

◧◩
2. citrin+nyc[view] [source] 2025-09-29 09:12:15
>>xenadu+d3c
BMC software quality is low but what's the alternative? Without BMC it is more expensive to manage a fleet of servers. In a better word hardware vendors will publish specs to allow open-source BMC firmware but for some reason they resist this idea. Having only insecure BMC available a semi-separate management network (connected via a bastion host or a VPN) provides balance between cost and security.
◧◩◪
3. einste+hWc[view] [source] 2025-09-29 13:05:25
>>citrin+nyc
> BMC software quality is low but what's the alternative?

Dedicated KVM devices?

[go to top]