Uncategorized

Linux OEMs/VARs: use FwUpd

If you build a Linux-based system, you should be putting your firmware updates on fwupd. Dell is the only vendor currently doing this.

What about: System76, ThinkPenguin, Purism, HP, etc??

Hmm, it looks like System76 might be working on it!

 

Standard
Uncategorized

Dell PowerEdge 14G firmware updates

Dell/EMC has a new Tech Note, written by Wei Liu and Seamus Jones, summarizing some of the new firmware security features available in their new server:

Cyber-Resiliency Starts at the Chipset and BIOS

2-page Tech Note covering new BIOS features introduced with PowerEdge 14G servers, offering unique resiliency to malicious intent or user error. The two features highlighted, BIOS Recovery and integration of Intel Boot Guard, respectively, are further demonstration of PowerEdge engineering commitment to ensuring the security and stability of enterprise infrastructures.

http://en.community.dell.com/techcenter/extras/m/white_papers/20444061

 

Standard
Uncategorized

RackHD

RackHD is a technology stack created for enabling hardware management and orchestration, to provide cohesive APIs to enable automated infrastructure. In a Converged Infrastructure Platform (CIP) architecture, RackHD software provides hardware management and orchestration (M&O). It serves as an abstraction layer between other M&O layers and the underlying physical hardware. Developers can use the RackHD API to create a user interface that serves as single point of access for managing hardware services regardless of the specific hardware in place.

https://github.com/RackHD/RackHD

http://rackhd.io/

Standard
Uncategorized

Dell Inspiron 20-3052 BIOS update concerns

If you have this Dell, be careful about the current update, multiple users have the problem. Quoting the Register article:

As one forum wag noted: “Some send out ‘WannaCry’, others send out BIOS upgrades”.

https://www.theregister.co.uk/2017/05/18/dell_bios_update_borks_pcs/

http://en.community.dell.com/support-forums/desktop/f/3514/t/20012309?pi21953=1

http://en.community.dell.com/support-forums/desktop/f/3514/p/19435778/20050222

PS: These are nice references from Dell’s support wiki:

http://en.community.dell.com/support-forums/desktop/w/desktop/3624.beep-codes-and-psa-diagnostic-chart

http://en.community.dell.com/support-forums/desktop/w/desktop/3634.extremely-long-psa-code-chart

 

Standard
Uncategorized

Dell iDRAC CVE-2016-5685, bash vulnerability (old news)

http://www.securiteam.com/securitynews/5XP3B0UKUU.html

SecuriTeam confused me by reposting a 2016 Dell iDDRAC vulnerability today, but I don’t see anything new. Just in case you weren’t aware of this issue, and you have a Dell system, here’s info on this older vulnerability, see the last link for a PDF-based response from the Dell iDRAC team.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5685
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5685
http://www.securityfocus.com/bid/94585
http://en.community.dell.com/techcenter/extras/m/white_papers/20443326

Dell iDRAC team’s response to Common Vulnerabilities and Exposures (CVE) ID CVE-2016-5685 [16 November 2016]
Summary: an authenticated user could gain Bash shell access through a string injection.
Dell Response: update to the latest iDRAC firmware, which remediates this potential vulnerability.

 

Standard
Uncategorized

MonitorDarkly: Dell monitor on-screen-display exploit

“This repo contains the exploit for the Dell 2410U monitor. It contains utilities for communicating with and executing code on the device. The research presented here was done in order to highlight the lack of security in “modern” on-screen-display controllers. Please check out our Recon 0xA presentation (included) for a detailed description of our research findings and process.[…]”

https://github.com/redballoonshenanigans/monitordarkly

Standard