Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Servers Can Be Bricked Remotely via BMC Attack

Hackers could remotely brick servers by launching firmware attacks that involve the Baseboard Management Controller (BMC), researchers at firmware security company Eclypsium have demonstrated.

Hackers could remotely brick servers by launching firmware attacks that involve the Baseboard Management Controller (BMC), researchers at firmware security company Eclypsium have demonstrated.

Firmware attacks can pose a serious threat as they allow attackers to gain persistent access and control over a targeted system. However, these types of attacks often require physical access to the targeted device so they are less likely to cause widespread problems, such as a piece of ransomware.

However, Eclypsium has demonstrated an attack method that can pose an even bigger problem than ransomware, especially for enterprises. The company’s researchers showed that an attacker can leverage the BMC to remotely brick a server and make it very difficult for an organization to restore.

The BMC is a small computer present on a majority of server motherboards. A component of the Intelligent Platform Management Interface (IPMI), it allows administrators to remotely control and monitor a server without having to access the operating system or applications running on it. Admins can use the BMC to reboot a device, install an operating system, update the firmware, monitor system parameters, and analyze logs.

While the capabilities provided by the BMC can be highly useful for administrators, the system also introduces an attack vector that can be used to cause serious damage.

For instance, a malicious firmware update can allow attackers to plant a piece of highly persistent malware that can survive a reinstallation of the operating system and a complete wipe of the hard drive. Attackers can also move laterally to management networks that are supposed to be isolated.

Eclypsium recently reported finding some BMC vulnerabilities in Supermicro motherboards. These flaws are related to the fact that the code responsible for processing firmware updates fails to verify an update’s cryptographic signature, allowing attackers to load malicious code onto the BMC.

New research made public by Eclypsium on Wednesday shows how such BMC vulnerabilities can be exploited to remotely brick the servers in an organization’s data center and cause serious damage and disruption.

An attacker would first need to gain remote access to the targeted system, either via compromised credentials or vulnerabilities in one of the applications running on the device. Once they have access, hackers can use legitimate BMC update tools to install corrupted firmware that causes the device to completely stop working, and the process does not even require any special authentication or credentials.

“This malicious BMC firmware update contains additional code that, once triggered, will erase the UEFI system firmware and critical components of the BMC firmware itself,” Eclypsium researchers explained. ”These changes to the host and BMC will cause all attempts to boot or recover the system to fail, rendering it unusable. These firmware images cause all attempts to boot or recover the system to fail, rendering it unusable.”

The company also warned that an attack can be set up so that the malicious payload is activated at a specified time, which could allow hackers to bring down an entire data center at once.

While it is possible to recover a server hit by such an attack, the process is slow and requires advanced technical knowledge as it involves physically connecting to the chip on each affected server and installing new firmware.

Eclypsium CEO Yuriy Bulygin told SecurityWeek that this new research – in addition to demonstrating for the first time that BMC attacks can be used to brick servers – shows that an attacker can bypass BMC network isolation by infecting the BMC through the host.

“Most people think about firmware attacks and permanent damage attacks as being physical attacks,” John Loucaides, VP of engineering at Eclypsium, said via email. “The purpose of this demonstration is to help understand the remote attack vector, which means it can be performed at scale with enormous potential damage.”

“Indeed, BMC vulnerabilities have been shown before, and system firmware vulnerabilities have been shown before. However, you don’t usually see how easy it is to use these issues in attack operations that disrupt infrastructure,” Loucaides added.

Related: New Firmware Flaws Resurrect Cold Boot Attacks

Related: BrickerBot Damages IoT Device Firmware

Related: Russian Cyberspies Use UEFI Rootkit in Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.