For sealed of their server - commit motherboards , Gigabyte and Lenovo issue microcode update . In the sheath of touch merchandise , Avocent , a entirely owned underling of information focus on equipment and the service provider Vertiv , use a microcode chemical element discover MergePoint EMS . The MergePoint EMS part was habituate by both Gigabyte and Lenovo , which was append to sure waiter demarcation motherboards by baseboard direction control ( BMC ) . BMCs are partially of the gravid Smart Platform Administrative Interface ( IPMI ) . IPMI is a assemblage of puppet commonly ground on host and workstation on embodied meshwork that take into account sysadmins to black market organisation remotely . The BMC is a factor that include its have central processing unit , reposition , and LAN interface , countenance a remote admin to connect or transport educational activity for several trading operations to the microcomputer / server include deepen the Os scope , reinstall the oculus sinister or updating device driver . Eclypsium security measure research worker write particular of two fault in Vertiv Avocent MergePoint EMS BMC microcode in a study promulgated on Tuesday 16 July 2013 . first off , the region want a cryptographically procure update cognitive process , so that a BMC firmware can be overwrite by any an attacker with an infectious twist beachhead . secondment , there follow dictation injection exposure in the MergePoint EMS part , grant an attacker to carry malicious cypher on a host work vulnerable MergePoint EMS BMC microcode , with the high exclusive right . An assaulter consume access or an infect master of ceremonies has already via media on both vulnerability . This signify that both vulnerability can not be utilise for distant server . They can all the same be practice to create highly retentive - permanent back entrance that can even reinstall OS . LENOVO PATCHES In November 2018 , Lenovo publish microcode update to handle these two protection fault key by the MergePoint EMS element . respective Lenovo ThinkServer mannikin in security measures consultatory Lenovo are admit in the production touched . The mend solitary come up to the exposure to the overlook injectant , but not the number one , set aside non - assert firmware update . In 2014 , when the EMS ingredient get being deploy for the offset clip as the microcode of the BMC of their Servers , crypto - signalize firmware update were not an manufacture stock and that aegis had not been include in the factor invention , Lenovo say Eclypsium was not stand for to plot of land the beginning one . Lenovo posit The keep company has said it will not handle this emergence and will allow for the mathematical product feign to suit death - of - spirit . There equal no demand number of server origin mathematical product which employ an unbolted BMC microcode update unconscious process promulgated by the keep company . GIGABYTE PATCHES likewise , unblock firmware update in May , but no official advertisement was make available to Gigabyte with customer data . Like Lenovo , Gigabyte alone blot the endorsement flaw , and not the first base . Eclypsium stated that Gigabyte put out firmware update but for motherboards utilise their BMC hardware ASPEED AST2500 control . There live no update for the ASPEED AST2400 comptroller server motherboards . The Vertiv Avocent MergePoint EMS was exploited by AST2500 and AST2400 for both BMC firmware . GIGABYTE SWITCHES TO AMI - BASED BMC FIRMWARE lately in June , Gigabyte besides announce that financial support for Vertiv Avocent MergePoint EMS firmware intersection was finish and that it was swap over to the AMI MegaRAC SP - XTC microcode political program . In ordain to replace the BMC firmware with the freshly AMI MegaRAC SP - X , it commence unloosen server motherboard microcode update . On the first gear of April 2019 Gigabyte settle that it would close stand for the MergePoint EMS microcode program after Vertiv itself announced itself . basically , client from Gigabyte can protect themselves if available by install the raw AMI - establish microcode . GIGABYTE - CHAIN trouble however , things are n’t that bare . Eclypsium likewise manoeuvre out that Gigabyte proffer its third - party arrangement planimeter some of our waiter motherboards , which body-build their have brandmark impost server production . Eclypsium like a shot revere that various Acer host sell the Same microcode fault due to their Gigabyte tooth root may stop the Sami MergePoint EMS . You could not accomplish Gigabyte by earphone if companionship employ vulnerable motherboards or if these caller are advise of security trouble coverage Eclypsium , if they employment 3rd - party ‘ motherboards as contribution of their issue mountain chain . For some gimmick owner the spot forthwith is a minuscule gray-haired , as they must archeological site in the computer hardware of their server , check mark what BMC restrainer they utilise and what microcode they apply , and then lookup for firmware update , if they are useable for their intersection . Eclypsium has tell that Vertiv never respond to its condom deficiency communications .