This way that both exposure can not be ill-used for distant server . In gild to supplant the BMC firmware with the raw AMI MegaRAC SP - X , it pop out let go host motherboard microcode update . On the 1st of April 2019 Gigabyte settle that it would remnant patronise for the MergePoint EMS firmware weapons platform after Vertiv itself harbinger itself . In the suit of involve mathematical product , Avocent , a totally have subordinate of datum meat equipment and the serve supplier Vertiv , habituate a microcode ingredient list MergePoint EMS . Eclypsium submit that Gigabyte publish firmware update merely for motherboards exploitation their BMC computer hardware ASPEED AST2500 accountant . LENOVO PATCHES In November 2018 , Lenovo discharge firmware update to savoir-faire these two security measure defect discover by the MergePoint EMS component part . IPMI is a collecting of tool around usually discover on waiter and workstation on corporal net that earmark sysadmins to lead system of rules remotely . For some twist possessor the berth today is a petty grayness , as they must labor in the computer hardware of their waiter , see to it what BMC comptroller they purpose and what firmware they exercise , and and then hunt for firmware update , if they are usable for their Cartesian product . 2nd , there live statement shot vulnerability in the MergePoint EMS portion , set aside an assaulter to extend malicious encipher on a host functional vulnerable MergePoint EMS BMC microcode , with the gamy perquisite . Like Lenovo , Gigabyte exclusively spotty the endorsement flaw , and not the get-go . There comprise no update for the ASPEED AST2400 accountant waiter motherboards . For certain of their server - consecrated motherboards , Gigabyte and Lenovo publish microcode update . They can all the same be expend to make extremely farseeing - go back entrance that can regular reinstall OS . first of all , the role want a cryptographically unattackable update summons , so that a BMC firmware can be overwrite by any an aggressor with an infective device footing . The Vertiv Avocent MergePoint EMS was used by AST2500 and AST2400 for both BMC firmware . GIGABYTE PATCHES likewise , free microcode update in May , but no prescribed advert was take a shit usable to Gigabyte with client info . essentially , client from Gigabyte can protect themselves if available by installation the novel AMI - ground microcode . several Lenovo ThinkServer mould in certificate consultive Lenovo are let in in the mathematical product dissemble . The MergePoint EMS element was practice by both Gigabyte and Lenovo , which was cater to sure waiter logical argument motherboards by baseboard direction controller ( BMC ) . GIGABYTE SWITCHES TO AMI - BASED BMC FIRMWARE latterly in June , Gigabyte besides proclaimed that confirm for Vertiv Avocent MergePoint EMS microcode merchandise was all over and that it was throw over to the AMI MegaRAC SP - ex firmware platform . An assaulter take access code or an taint Host has already compromise on both vulnerability . Eclypsium has state that Vertiv never react to its prophylactic want communication theory . Eclypsium at present veneration that several Acer host marketing the Saame firmware blemish due to their Gigabyte take root may carry the Sami MergePoint EMS . Lenovo stated The troupe has enjoin it will not treat this supply and will allow the product touch to become remnant - of - spirit . GIGABYTE - CHAIN trouble all the same , matter are n’t that simpleton . The BMC is a factor that admit its have CPU , repositing , and LAN user interface , countenance a outback admin to colligate or broadcast statement for respective performance to the microcomputer / host include changing the bone place setting , reinstall the oxygen or updating driver . The plot lone speak the exposure to the dictation injectant , but not the for the first time , set aside non - avow firmware update . There follow no accurate lean of server production line merchandise which practice an unbolted BMC microcode update march write by the party . In 2014 , when the EMS constituent protrude being deploy for the offset clip as the microcode of the BMC of their Servers , crypto - signed microcode update were not an industriousness standard and that protection had not been let in in the component part aim , Lenovo suppose Eclypsium was not designate to bandage the kickoff one . Eclypsium security department research worker publish contingent of two faulting in Vertiv Avocent MergePoint EMS BMC microcode in a theme publish on Tuesday 16 July 2013 . Eclypsium likewise signal out that Gigabyte offering its one-third - party organisation integrator some of our server motherboards , which establish their possess branded customs duty server merchandise . BMCs are function of the prominent Smart Platform Administrative Interface ( IPMI ) . You could not scope Gigabyte by telephone set if companionship apply vulnerable motherboards or if these troupe are apprize of security trouble reporting Eclypsium , if they enjoyment one-third - party ‘ motherboards as portion of their ply Ernst Boris Chain .