Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Servers Can Be Bricked Remotely via BMC Attack

Hackers could remotely brick servers by launching firmware attacks that involve the Baseboard Management Controller (BMC), researchers at firmware security company Eclypsium have demonstrated.

Hackers could remotely brick servers by launching firmware attacks that involve the Baseboard Management Controller (BMC), researchers at firmware security company Eclypsium have demonstrated.

Firmware attacks can pose a serious threat as they allow attackers to gain persistent access and control over a targeted system. However, these types of attacks often require physical access to the targeted device so they are less likely to cause widespread problems, such as a piece of ransomware.

However, Eclypsium has demonstrated an attack method that can pose an even bigger problem than ransomware, especially for enterprises. The company’s researchers showed that an attacker can leverage the BMC to remotely brick a server and make it very difficult for an organization to restore.

The BMC is a small computer present on a majority of server motherboards. A component of the Intelligent Platform Management Interface (IPMI), it allows administrators to remotely control and monitor a server without having to access the operating system or applications running on it. Admins can use the BMC to reboot a device, install an operating system, update the firmware, monitor system parameters, and analyze logs.

While the capabilities provided by the BMC can be highly useful for administrators, the system also introduces an attack vector that can be used to cause serious damage.

For instance, a malicious firmware update can allow attackers to plant a piece of highly persistent malware that can survive a reinstallation of the operating system and a complete wipe of the hard drive. Attackers can also move laterally to management networks that are supposed to be isolated.

Eclypsium recently reported finding some BMC vulnerabilities in Supermicro motherboards. These flaws are related to the fact that the code responsible for processing firmware updates fails to verify an update’s cryptographic signature, allowing attackers to load malicious code onto the BMC.

New research made public by Eclypsium on Wednesday shows how such BMC vulnerabilities can be exploited to remotely brick the servers in an organization’s data center and cause serious damage and disruption.

An attacker would first need to gain remote access to the targeted system, either via compromised credentials or vulnerabilities in one of the applications running on the device. Once they have access, hackers can use legitimate BMC update tools to install corrupted firmware that causes the device to completely stop working, and the process does not even require any special authentication or credentials.

“This malicious BMC firmware update contains additional code that, once triggered, will erase the UEFI system firmware and critical components of the BMC firmware itself,” Eclypsium researchers explained. ”These changes to the host and BMC will cause all attempts to boot or recover the system to fail, rendering it unusable. These firmware images cause all attempts to boot or recover the system to fail, rendering it unusable.”

The company also warned that an attack can be set up so that the malicious payload is activated at a specified time, which could allow hackers to bring down an entire data center at once.

While it is possible to recover a server hit by such an attack, the process is slow and requires advanced technical knowledge as it involves physically connecting to the chip on each affected server and installing new firmware.

Eclypsium CEO Yuriy Bulygin told SecurityWeek that this new research – in addition to demonstrating for the first time that BMC attacks can be used to brick servers – shows that an attacker can bypass BMC network isolation by infecting the BMC through the host.

“Most people think about firmware attacks and permanent damage attacks as being physical attacks,” John Loucaides, VP of engineering at Eclypsium, said via email. “The purpose of this demonstration is to help understand the remote attack vector, which means it can be performed at scale with enormous potential damage.”

“Indeed, BMC vulnerabilities have been shown before, and system firmware vulnerabilities have been shown before. However, you don’t usually see how easy it is to use these issues in attack operations that disrupt infrastructure,” Loucaides added.

Related: New Firmware Flaws Resurrect Cold Boot Attacks

Related: BrickerBot Damages IoT Device Firmware

Related: Russian Cyberspies Use UEFI Rootkit in Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.