-1

I bought a used Supermicro server (2011) to host my own web services. I installed Debian 10 Buster and setup the LAMP server. Ports 80 and 443 are only accessible from the internet behind NAT.

The server motherboard model is X9SCM-F. On the Supermicro website it is marked as EOL. Intel 82579LM and 82574L ethernet controllers are marked as "Expected Discontinuance".

What are the risks of using end-of-life server hardware? If my operating system is not compromised, is it possible to exploit a hardware security vulnerability from the internet ?

Thanks.

Laura
  • 3
  • 1
  • The only part that come to my mind regarding vulnerabilities of old servers is the baseboard management chip. Make sure that it is not accessible through the network port you use as it would allow remote access to everything and might contain vulnerabilities. – Robert Jun 05 '21 at 21:26
  • 1
    Older cpu models might be vulnerable to side channel attacks, but often any exploits are patched by software. – Marco Jun 05 '21 at 22:40
  • It's mostly around business risk, not infosec risk (which exists, and is mentioned/answered elsewhere here). What do you do if the board fries? You're out of luck until you replace the whole thing. – mfinni Jun 06 '21 at 02:07

1 Answers1

1

Yes, hardware that old can be a security risk. As a specific example, speculative execution side channel CPU attacks, which cannot be fully fixed in software.

Supermicro X9SCM-F can socket Xeon E3-1200 v2 series. Per Intel security guidance, that family is discontinued. In theory, a BIOS update would get some fixes up until Intel stopped releasing microcode for this CPU, but the Supermicro BIOS updates I found appeared to be too old to have any fixes.

Hardware level security flaws of this category are not easy to exploit, requires untrusted code that exercises the CPU in a very specific way. Unlikely to be targeted at most organization's risk levels, but concerning in that it bypasses many isolation techniques.

As to not needing the OS to exploit a hardware vulnerability over the internet, out of band management is risky. Do not put IPMI or similar on the internet, especially when there will be no more security updates for that server model.

In a different category of risk, you are not likely to get help with this hardware. Hardware and software support might not help you, and parts may not be available.

Ports 80 and 443 are only accessible from the internet behind NAT.

NAT does not provide security. Firewalls do. An equilviant packet filter in an IPv6 only network with zero NAT would be similarly secure.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • Thank you very much for the information :) I would like to add a few details. NAT is managed by a physical firewall (pfSense) with three interfaces (WAN / DMZ / LAN) and IPMI is in a private network (LAN) not accessible from the Internet. If I change my configuration and I use this end-of-life server in a private network (LAN) and the packets (DNS, HTTP (apt update / upgrade), NTP) are outgoing only, is it OK? Are there no more risks? Thanks. – Laura Jun 07 '21 at 15:13
  • My answer was not a comprehensive risk assessment, especially as you did not include your approach to network security in your question. I would not purchase hardware that far past end of life. But make your own decisions. – John Mahowald Jun 07 '21 at 19:30