Hackers could remotely brick servers by launching firmware attacks that involve the Baseboard Management Controller (BMC), researchers at firmware security company Eclypsium have demonstrated.
Firmware attacks can pose a serious threat as they allow attackers to gain persistent access and control over a targeted system. However, these types of attacks often require physical access to the targeted device so they are less likely to cause widespread problems, such as a piece of ransomware.
However, Eclypsium has demonstrated an attack method that can pose an even bigger problem than ransomware, especially for enterprises. The company’s researchers showed that an attacker can leverage the BMC to remotely brick a server and make it very difficult for an organization to restore.
The BMC is a small computer present on a majority of server motherboards. A component of the Intelligent Platform Management Interface (IPMI), it allows administrators to remotely control and monitor a server without having to access the operating system or applications running on it. Admins can use the BMC to reboot a device, install an operating system, update the firmware, monitor system parameters, and analyze logs.
While the capabilities provided by the BMC can be highly useful for administrators, the system also introduces an attack vector that can be used to cause serious damage.
For instance, a malicious firmware update can allow attackers to plant a piece of highly persistent malware that can survive a reinstallation of the operating system and a complete wipe of the hard drive. Attackers can also move laterally to management networks that are supposed to be isolated.
Eclypsium recently reported finding some BMC vulnerabilities in Supermicro motherboards. These flaws are related to the fact that the code responsible for processing firmware updates fails to verify an update’s cryptographic signature, allowing attackers to load malicious code onto the BMC.
New research made public by Eclypsium on Wednesday shows how such BMC vulnerabilities can be exploited to remotely brick the servers in an organization’s data center and cause serious damage and disruption.
An attacker would first need to gain remote access to the targeted system, either via compromised credentials or vulnerabilities in one of the applications running on the device. Once they have access, hackers can use legitimate BMC update tools to install corrupted firmware that causes the device to completely stop working, and the process does not even require any special authentication or credentials.
“This malicious BMC firmware update contains additional code that, once triggered, will erase the UEFI system firmware and critical components of the BMC firmware itself,” Eclypsium researchers explained. ”These changes to the host and BMC will cause all attempts to boot or recover the system to fail, rendering it unusable. These firmware images cause all attempts to boot or recover the system to fail, rendering it unusable.”
The company also warned that an attack can be set up so that the malicious payload is activated at a specified time, which could allow hackers to bring down an entire data center at once.
While it is possible to recover a server hit by such an attack, the process is slow and requires advanced technical knowledge as it involves physically connecting to the chip on each affected server and installing new firmware.
Eclypsium CEO Yuriy Bulygin told SecurityWeek that this new research – in addition to demonstrating for the first time that BMC attacks can be used to brick servers – shows that an attacker can bypass BMC network isolation by infecting the BMC through the host.
“Most people think about firmware attacks and permanent damage attacks as being physical attacks,” John Loucaides, VP of engineering at Eclypsium, said via email. “The purpose of this demonstration is to help understand the remote attack vector, which means it can be performed at scale with enormous potential damage.”
“Indeed, BMC vulnerabilities have been shown before, and system firmware vulnerabilities have been shown before. However, you don’t usually see how easy it is to use these issues in attack operations that disrupt infrastructure,” Loucaides added.
Related: New Firmware Flaws Resurrect Cold Boot Attacks
