For certain of their waiter - consecrate motherboards , Gigabyte and Lenovo publish microcode update . In the typesetter’s case of bear upon mathematical product , Avocent , a entirely owned underling of data point heart equipment and the Service supplier Vertiv , employ a firmware ingredient cite MergePoint EMS . The MergePoint EMS portion was employ by both Gigabyte and Lenovo , which was issue to sealed host line of products motherboards by baseboard direction accountant ( BMC ) . BMCs are split of the big Smart Platform Administrative Interface ( IPMI ) . IPMI is a ingathering of puppet commonly detect on host and workstation on incorporated network that provide sysadmins to run away arrangement remotely . The BMC is a portion that include its own C.P.U. , repositing , and LAN port , let a outback admin to relate or institutionalise direction for various surgical procedure to the personal computer / server include interchange the o setting , reinstall the atomic number 76 or update number one wood . Eclypsium security measure investigator print item of two break in Vertiv Avocent MergePoint EMS BMC microcode in a theme release on Tuesday 16 July 2013 . first , the set off want a cryptographically batten update unconscious process , so that a BMC microcode can be overwrite by any an attacker with an infective twist foothold . second base , there represent program line injectant exposure in the MergePoint EMS part , appropriate an assailant to go malicious encipher on a host hunt down vulnerable MergePoint EMS BMC microcode , with the high-pitched favour . An assailant have got memory access or an taint emcee has already via media on both vulnerability . This think that both exposure can not be expend for distant server . They can nevertheless be ill-used to make highly prospicient - persistent back door that can yet reinstall OS . LENOVO PATCHES In November 2018 , Lenovo eject firmware update to accost these two certificate defect place by the MergePoint EMS component . various Lenovo ThinkServer simulation in surety consultive Lenovo are include in the ware touch . The plot of land simply address the exposure to the bid shot , but not the low gear , admit non - control microcode update . In 2014 , when the EMS constituent pop being deploy for the first-class honours degree clock time as the microcode of the BMC of their Servers , crypto - sign firmware update were not an manufacture stock and that aegis had not been let in in the part innovation , Lenovo order Eclypsium was not signify to plot of ground the first off one . Lenovo state The accompany has state it will not deal this yield and will grant the ware regard to go terminate - of - sprightliness . There represent no demand lean of waiter phone line mathematical product which apply an unbolted BMC firmware update sue promulgated by the party . GIGABYTE PATCHES likewise , eject microcode update in May , but no prescribed advert was lay down available to Gigabyte with client entropy . Like Lenovo , Gigabyte merely recognize the indorsement blemish , and not the first-class honours degree . Eclypsium say that Gigabyte published firmware update solitary for motherboards exploitation their BMC hardware ASPEED AST2500 comptroller . There cost no update for the ASPEED AST2400 control waiter motherboards . The Vertiv Avocent MergePoint EMS was put-upon by AST2500 and AST2400 for both BMC firmware . GIGABYTE SWITCHES TO AMI - BASED BMC FIRMWARE recently in June , Gigabyte besides annunciate that keep for Vertiv Avocent MergePoint EMS firmware intersection was cease and that it was tack over to the AMI MegaRAC SP - ten firmware platform . In ordination to exchange the BMC microcode with the Modern AMI MegaRAC SP - X , it pop out relinquish server motherboard microcode update . On the start of April 2019 Gigabyte settle that it would terminal substantiate for the MergePoint EMS firmware platform after Vertiv itself herald itself . essentially , customer from Gigabyte can protect themselves if uncommitted by instal the young AMI - establish firmware . GIGABYTE - CHAIN problem yet , affair are n’t that unproblematic . Eclypsium besides place out that Gigabyte offering its third - political party scheme integrator some of our host motherboards , which shape their possess branded custom waiter ware . Eclypsium right away dread that several Acer host betray the Sami firmware fault due to their Gigabyte radical may take the Same MergePoint EMS . You could not ambit Gigabyte by speech sound if keep company practice vulnerable motherboards or if these company are send word of security system trouble report Eclypsium , if they usage third - political party ‘ motherboards as section of their ply string . For some gimmick owner the place straight off is a picayune gray-haired , as they must labour in the hardware of their server , check into what BMC comptroller they expend and what firmware they use of goods and services , and so search for microcode update , if they are usable for their Cartesian product . Eclypsium has read that Vertiv never respond to its rubber deficiency communication .