PowerEdge R410 replacement motherboard contains malware?!

Servers

Servers
Information and ideas on Dell PowerEdge rack, tower and blade server solutions.

PowerEdge R410 replacement motherboard contains malware?!

This question is answered

I just got a telephone call from a service scheduler informing me that the replacement R410 motherboard I received several weeks ago contains spyware in its embedded systems management firmware, and wanting to schedule an additional service call for a tech to come clean it off.

Unfortunately since the person calling was non-technical, she was unable to provide a lot of details. But I do believe the call to be legitimate as she had the service tag of one of my systems which did indeed receive a motherboard replacement recently.

Does Dell have an official article documenting this issue and laying out further details and the potential risks? Obviously it causes me grave concern be informed of a vulnerability but not have all of the technical details, especially when they asked to be able to schedule the service call to resolve the issue at least ten business days in the future.

All Replies
  • Thanks for your interest and feedback on your PowerEdge server.  The service phone call you received was in fact legitimate. As part of Dell’s quality process, we have identified a potential issue with our service mother board stock, like the one you received for your PowerEdge R410, and are taking preventative action with our customers accordingly.  The potential issue involves a small number of PowerEdge server motherboards sent out through service dispatches that may contain malware.  This malware code has been detected on the embedded server management firmware as you indicated.

     

    We take matters of information security very seriously and believe that any impact to a customer’s information security is unlikely.  To date we have received no customer reports related to data security. Systems running non-Windows operating systems are not vulnerable to this malware and this issue is not present on motherboards shipped new with PowerEdge systems. 

     

    We have assembled a customer list and are directly contacting customers like you through a call campaign. On the call, you should be provided a phone number to call if you have additional questions. Hopefully you received this on your call. If not, let me know and we’ll get it to you as soon as possible so you have all of the follow-up information needed.

  • Thank you for your prompt response. I have not received a letter -- the phone call was the first I have heard of this. I would like to understand the scope of the issue and any risks to information security in more detail. If you could please contact me offline and send a copy of the letter, I would appreciate it.

  • So why is there no information in the recall links or other readily obvious place on the site?

    I also received a call about it, but had no way of knowing if this was a legitimate issue.  Also, if it is just a firmware issue, can the firmware just be updated ?

    I would much rather  update it myself than have to schedule a tech to come in to do something I am perfectly capable of doing.

  • Has there been a service tag listing of systems that would contain this unintended iteration of the embedded server management?  I'm a bit concerned as I received a new R410 2 weeks ago and am unsure what to look for regarding this vulnerability. 

  • Here are further details regarding the instance of malware introduced on some service motherboards discussed on this forum that affects a very small set of customers. We are proactively contacting identified customers and are working with them to quickly resolve any potential exposure. 

     

    There are important pieces of information to note:

     

    1.       This issue does not affect any Dell PowerEdge servers shipped from our factories  and is limited to a small number of the replacement motherboards only which were sent via Dell’s service and replacement process for four servers: PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410.  The maximum potential exposure is less than 1% of these server models.

    2.       Dell has removed all impacted motherboards from the service supply. New shipping replacement stock does not contain the malware.

    3.       The W32.Spybot worm was discovered in flash storage on the motherboard during Dell testing. The malware does not reside in the firmware.

    4.       All industry-standard antivirus programs on the market today have the ability to identify and prevent the code from infecting the customer’s operating system. 

    5.       Systems running non-Microsoft Windows operating systems cannot be affected.

    6.       Systems with the iDRAC Express or iDRAC Enterprise card installed cannot be affected. 

    7.       Remaining systems can only be exposed if the customer chooses to run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.  

     ---Updated on Friday, July 23----

    Here is additional information on conditions:

    • Windows Server 2008 and Windows Server 2008 R2 will not automatically run the malware when the Dell Update Packages for Unified Server Configurator (USC) or 32-bit Diagnostics are run.
    • Windows Server 2003 may be vulnerable to the malware while the Dell Update Packages for Unified Server Configurator (USC) or 32-bit Diagnostics are run if the server does not have Antivirus software installed and AutoRun is enabled for removable drives.  

     

     

    Dell takes customer security and privacy very seriously. Although we are not aware of any reports of customer related issues, we are proactively working with customers to resolve any potential exposure.  

     

    Concerned customers can contact Dell technical support at: US_EEC_escalations@dell.com

     

    We will continue to update this forum as new information becomes available or questions arise.

  • Will you please post your employee number?  In a phone call to Dell this morning I was told that no Dell employee wrote this....

  • My name is Daisy Nguyen. I'm the IT Director for the Computer Science Department in Columbia University. We have nearly one hundred R410 servers for research computation. Professor Sethumadhavan in our department forward the infected motherboard information to me and ask if we can get a loan from Dell for one of this motherboard for us to study it. Prof. Sethumadhavan's group works on securing hardware systems. They have recently published ground-breaking work on securing CPUs from malicious attacks (www.theregister.co.uk/2010/05/12/tamper_evident_microprocessor/) Information regarding the motherboard malware, injection/spreading techniques, and other technical/social aspects of the injection will be valuable to researchers working in the area of hardware security at Columbia under Prof. Sethumdahavan's guidance, and also to the broader secure hardware research community. We will happily acknowledge Dell in research publications that may result from analysis of the motherboard and/or any defenses developed to protect these motherboards. Could you please look into this for us or provide a name of someone in Dell organization who we can contact regarding this. My contact information is listed below.

     

    Thank you for your help,

    Daisy

    -----------------------
    Daisy Nguyen
    Director, Computing Research Facilities
    Computer Science Department
    Columbia University
    <ADMIN NOTE: Private information removed per privacy policy>
    <ADMIN NOTE:Address removed per privacy policy>
  • Yes Art, I am a Dell employee and the information I posted is accurate. If you need specific information, please contact US_EEC_escalations@dell.com.

    Thanks, Matt

  • I just wanted to follow up that I had a telephone call with folks at Dell as a result of this thread, and that they did provide additional information as requested. I am satisfied that my server (and the data on it) is not at risk as a result of this error.

  • daisy07922

    My name is Daisy Nguyen. I'm the IT Director for the Computer Science Department in Columbia University. We have nearly one hundred R410 servers for research computation. Professor Sethumadhavan in our department forward the infected motherboard information to me and ask if we can get a loan from Dell for one of this motherboard for us to study it. Prof. Sethumadhavan's group works on securing hardware systems. They have recently published ground-breaking work on securing CPUs from malicious attacks (www.theregister.co.uk/2010/05/12/tamper_evident_microprocessor/) Information regarding the motherboard malware, injection/spreading techniques, and other technical/social aspects of the injection will be valuable to researchers working in the area of hardware security at Columbia under Prof. Sethumdahavan's guidance, and also to the broader secure hardware research community (Bike Online Shop Fahrradteile & Bike Parts Bike Parts). We will happily acknowledge Dell in research publications that may result from analysis of the motherboard and/or any defenses developed to protect these motherboards. Could you please look into this for us or provide a name of someone in Dell organization who we can contact regarding this. My contact information is listed below.

     

    Thank you for your help,

    Daisy

    -----------------------
    Daisy Nguyen
    Director, Computing Research Facilities
    Computer Science Department
    Columbia University
    <ADMIN NOTE: Private information removed per privacy policy>
    <ADMIN NOTE:Address removed per privacy policy>

     

    Maybe you should try to use the contact form!

  • You should not look for such help on dell boards. You should just contact them through the contact form or call them...

    Regards,

    Eliam,

    Sales VP @ drop m

  • Interesting. Definitely gotta say someone other than a customer service rep should be looking into this call. And I do customer service myself at shakeology! Typically we usually pass these tasks up the chain to management and they will reach out to you, I hope Dell does the same.

    Good Luck.

  • Perhaps it has something to do with this?

    Deitybounce