Flaw in update process for BMCs in Supermicro servers allows to deliver persistent malware or brick the server
Researchers from security firm Eclypsium have discovered a vulnerability in the Firmware update mechanism that could be exploited by hackers to Deliver Persistent Malware, completely wipe and reinstall of the operating system.
“Using the vulnerabilities we discovered, it is possible to make arbitrary modifications to the BMC code and data. Using these modifications, an attacker can run malicious software within these highly privileged management controllers. This could be useful, for example, to survive operating system reinstallation or communicate covertly with the attacker’s infrastructure, similar to the PLATINUM malware that used manageability features to bypass detection.” reads the advisory published by the expert.
“Alternatively, this vulnerability could be used to “brick” (permanently disable) the BMC or the entire system, creating an impact even more severe than the BlackEnergy KillDisk component.”
The Baseboard Management Controllers (BMCs) are part of the server motherboard and are used to directly control and manage the various hardware components of the system. It could be used to repair or reinstall the system software and it could be remotely controlled by administrators.
The BMCs are a privileged target of hackers because they operate at low level, below the level of the host OS and system firmware.
Experts discovered that the update mechanism doesn’t implement a code signing verification mechanism either check if the firmware is downloaded from a legitimate source.
The exploitation of the flaw could allow attackers to run malicious code that is transparent to OS-level antimalware solutions.
The attack scenario sees hackers in a position to carry out man-in-the-middle attacks, this means that they have to be able to access the traffic during the update process.
“Our research has uncovered vulnerabilities in the way that multiple vendors update their BMC firmware. These vendors typically leverage standard, off-the-shelf IPMI management tools instead of developing customized in-house management capabilities.” continues the analysis.
“In this case, we will go deep into the BMC update process on Supermicro systems, we found that the BMC code responsible for processing and applying firmware updates does not perform cryptographic signature verification on the provided firmware image before accepting the update and committing it to non-volatile storage. This effectively allows the attacker to load modified code onto the BMC.
The researchers highlighted that attackers could exploit the flaw to permanently brick the BMC or the entire server.
“Because IPMI communications can be performed over the BMC LAN interface, this update mechanism could also be exploited remotely if the attacker has been able to capture the admin password for the BMC,” Eclypsium added.
“This requires access to the systems management network, which should be isolated and protected from the production network. However, the implicit trust of management networks and interfaces may generate a false sense of security, leading to otherwise-diligent administrators practicing password reuse for convenience.”
The researchers have reported the flaw Supermicro that addressed it by implementing signature verification to the firmware update tool.