Connect with us

Hi, what are you looking for?


Endpoint Security

CISA, NSA Share Guidance on Hardening Baseboard Management Controllers

CISA and the NSA have published new guidance to help organizations harden baseboard management controllers (BMCs).

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have published new guidance to help organizations harden baseboard management controllers (BMCs).

Typically part of a motherboard, a BMC is a specialized service processor used for monitoring the physical state of a system, server, or other device, collecting information such as temperature, voltage, humidity, and fan speeds.

Operating separately from the operating system and the system’s firmware (such as BIOS and UEFI), a BMC enables remote management and control, even on systems that are shut down (as long as the system is connected to a power outlet).

The BMC firmware, CISA and the NSA point out in the new guidance (PDF), is highly privileged, having access to all resources of the system it resides on. Using BMC management solutions allows organizations to manage multiple systems without physical access.

The firmware BMCs run on is maintained separately and, because many BMCs do not provide integration with user account management solutions, updates and other administrative actions need to be delivered via commands over network connections.

“Many organizations fail to take the minimum action to secure and maintain BMCs. Hardened credentials, firmware updates, and network segmentation options are often overlooked, leading to a vulnerable BMC. A vulnerable BMC broadens the attack vector by providing malicious actors the opportunity to employ tactics such as establishing a beachhead with pre-boot execution potential,” CISA and the NSA note.

Unauthorized access to a BMC could allow attackers to disable the trusted platform module (TPM) or UEFI secure boot or propagate implants across the network without being detected by traditional tools or security features, including endpoint detection and response (EDR) solutions, intrusion detection/prevention systems (IDS/IPS), and TPM attestation.

Advertisement. Scroll to continue reading.

Organizations are advised to change default BMC credentials and use strong passwords compliant with NIST guidelines, to isolate BMC network connections using a virtual local area network (VLAN), limit the connections to a BMC, harden BMCs against unauthorized access, routinely check for BMC firmware updates, monitor BMC integrity, and move workloads on systems with BMC integrity monitoring mechanisms.

“A user may accidentally connect and expose an ignored and disconnected BMC to malicious content. Treat an unused BMC as if it may one day be activated. Apply patches. Harden credentials. Restrict network access. If a BMC cannot be disabled or removed, carry out recommended actions appropriate to the sensitivity of the platform’s data,” the two agencies note.

Related: US Government Provides Guidance on Software Security Guarantee Requirements

Related: US, Israel Provide Guidance on Securing Remote Access Software

Related: Five Eyes Agencies Issue Cybersecurity Guidance for Smart Cities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

The Zero Day Dilemma

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...