The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have published new guidance to help organizations harden baseboard management controllers (BMCs).
Typically part of a motherboard, a BMC is a specialized service processor used for monitoring the physical state of a system, server, or other device, collecting information such as temperature, voltage, humidity, and fan speeds.
Operating separately from the operating system and the system’s firmware (such as BIOS and UEFI), a BMC enables remote management and control, even on systems that are shut down (as long as the system is connected to a power outlet).
The BMC firmware, CISA and the NSA point out in the new guidance (PDF), is highly privileged, having access to all resources of the system it resides on. Using BMC management solutions allows organizations to manage multiple systems without physical access.
The firmware BMCs run on is maintained separately and, because many BMCs do not provide integration with user account management solutions, updates and other administrative actions need to be delivered via commands over network connections.
“Many organizations fail to take the minimum action to secure and maintain BMCs. Hardened credentials, firmware updates, and network segmentation options are often overlooked, leading to a vulnerable BMC. A vulnerable BMC broadens the attack vector by providing malicious actors the opportunity to employ tactics such as establishing a beachhead with pre-boot execution potential,” CISA and the NSA note.
Unauthorized access to a BMC could allow attackers to disable the trusted platform module (TPM) or UEFI secure boot or propagate implants across the network without being detected by traditional tools or security features, including endpoint detection and response (EDR) solutions, intrusion detection/prevention systems (IDS/IPS), and TPM attestation.
Organizations are advised to change default BMC credentials and use strong passwords compliant with NIST guidelines, to isolate BMC network connections using a virtual local area network (VLAN), limit the connections to a BMC, harden BMCs against unauthorized access, routinely check for BMC firmware updates, monitor BMC integrity, and move workloads on systems with BMC integrity monitoring mechanisms.
“A user may accidentally connect and expose an ignored and disconnected BMC to malicious content. Treat an unused BMC as if it may one day be activated. Apply patches. Harden credentials. Restrict network access. If a BMC cannot be disabled or removed, carry out recommended actions appropriate to the sensitivity of the platform’s data,” the two agencies note.