A new study published by infrastructure security specialists Eclypsium investigates the security of various implementations of the Linux Foundation’s open-source OpenBMC™ firmware stack. The “OpenBMC Security in Practice” report reviews its flexibility, widespread adoption and various complexities in managing vulnerabilities. The Eclypsium report also evaluates the handling of CVEs and patch practices from different vendors and ultimately identifies MegaRAC OneTree™ from AMI as the optimal solution.
To arrive at its results, Eclypsium took a snapshot of the latest available OpenBMC vendor releases from the main Open BMC GitHub repository, Intel® S2600WF, Dell™ R670csp, Supermicro® X14DBG-AP and MegaRAC OneTree (version 2.0). They then recorded both the number of open CVEs for each code revision and the related areas where the security issue exists.
While the results show a clear advantage for MegaRAC OneTree, readers should also take note that certain vulnerabilities discovered in the upstream OpenBMC code that were shown as CVEs affecting MegaRAC OneTree have already been mitigated by AMI. Additionally, we continue to apply mitigations directly to the downstream code in the form of updates distributed to customers that will be upstreamed in the next open-source revision. Consequently, the total number of CVEs that are open today is less than what the study from Eclypsium was able to capture.
Eclypsium’s report highlights the importance of leveraging a robust Software Bill of Materials (SBOM) approach with vulnerability management, regular updates, and transparency throughout the supply chain for maintaining a more secure supply chain.
For more information on our MegaRAC OneTree OpenBMC-based solution with add-on technologies and enhancements, we invite you to download the datasheet or contact us to schedule a discussion today.
OpenBMC is a trademark of LF Projects, LLC. MegaRAC is a registered trademark of AMI US Holdings, Inc., in the US and other countries. Intel is a registered trademark of Intel Corporation. Dell Technologies, Dell, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Supermicro® is a registered trademark of Super Micro Computer, Inc. All other trademarks and registered trademarks are the property of their respective owners.