Baseboard management controllers (BMC) are built into practically every enterprise-grade server product for out-of-band management. Typically, a variety of sensors are connected to the BMC to measure power status, operating temperature, cooling fan speeds, the operating status of components, and the OS running on the system itself. In the most optimistic view, BMC assists system administrators in managing multiple servers (not necessarily identical ones) at the same time. In the most pessimistic view, BMC is a black box with minimal-if any-security auditing, and the closed nature of BMC undermines attempts to lock down systems.

BMC, and the larger Intelligent Platform Management Interface (IPMI), is only marginally more open than Intel Management Engine, which frequently faces questions of being a backdoor. Security research firm Eclypsium found a dangerous design flaw in Supermicro servers, in which the BMC software does not apply signature verification on firmware images, permitting arbitrary firmware to be loaded. Though Eclypsium only verified this on Supermicro servers, Supermicro uses AMI’s MegaRAC firmware, which is also used in ASUS, Intel, and Tyan motherboards.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

Researchers at Eclypsium have not stopped there, however. On Wednesday, the company disclosed a new vulnerability which leverages IPMI and UEFI to render servers inoperable. By using the Keyboard Controller Style (KCS) component of the IPMI-which does not require authentication or special credentials-attackers who have gained control over a system can effectively brick a server by pushing a malicious firmware update through KCS.

Because of the number of steps involved, there is a lot to unpack about how this attack works. Thinking about it in a step-by-step way makes the vulnerability more digestible. First, an attacker would need to gain access to a system by exploiting some other vulnerability, or by stealing login credentials. Given the mass of unpatched software in deployment, and efficacy of social engineering attacks, this is trivial. After gaining access, they can push a malicious firmware image to the BMC. The BMC will reboot after it is updated, and that malicious firmware image can be used-as Eclypsium demonstrates-to overwrite the UEFI firmware, then overwrite the malicious BMC firmware, and reboot the server itself, which would be non-operational.

Eclypsium emphasizes that this is a proof-of-concept attack not seen in the wild, though they claim that this is the first public demo of remote bricking of servers. Likewise, BMC should be isolated from the network, but the researchers indicate that infection through the host negates that protection.

A demonstration of the attack was uploaded by Eclypsium to YouTube:

Considering the data center is the core of most businesses, this type of attack would be logical to leverage in ransomware attacks, as most enterprises can simply restore encrypted data-attacking the hardware, rather than the software, causes more havoc. Cloud vendors would not be immune to this style of attack, though exploiting this requires at a minimum the added complexity of needing a virtual machine escape vulnerability to gain access to the host platform, as IPMI calls would be denied on guest compute instances.

The big takeaways for tech leaders:

  • Researchers at Eclypsium demonstrated using IPMI to brick a server by pushing a malicious firmware update.
  • Eclypsium claims this to be the first vulnerability which allows for remote bricking of server hardware, though this is only a proof-of-concept not presently exploited in the wild.