Naked Security Naked Security

Supermicro servers fixed after insecure firmware updating discovered

Researchers have sounded a warning about the security of Baseboard Management Controllers (BMCs) - a critical component that datacentres depend on to manage servers.

Researchers have sounded a warning about the security of Baseboard Management Controllers (BMCs) – a critical component that datacentres depend on to manage servers.
According to Eclypsium, the BMC used by one server brand, Supermicro, has an insecure updating process that could allow an attacker to modify its firmware or run malware.
Affecting X8 through X11-generation systems, the BMC code wasn’t carrying out cryptographic signature verification before accepting firmware updates, the company said.
BMCs are like powerful computers-within-the-server, complete with their own CPU and memory, that remain turned on even when the server is not being used (not dissimilar to the Intel Management Engine found inside home computers).
When compromised, an attacker would be able to sneak their own modified firmware onto a server – something that would give admins a very bad day at the office.
This is the privileged layer used to issue server wipes and OS reinstalls, which would hand the same power to attackers to take over the system, or to ‘brick’ it as part of a denial-of-service attack, or possibly move sideways to other parts of the network.
It would also be incredibly difficult to detect, let alone stop once it had started – the attacker would have loaded their own firmware after all.

How did this happen?

All BMCs are hooked up to the outside world – the admins – via something called the Intelligent Platform Management Interface (IPMI), through which instructions specific to each brand of controller are issued. Authentication here is a good idea but unfortunately not mandatory.
The only limitation on the attack was the need for credentials:

Because IPMI communications can be performed over the BMC LAN interface, this update mechanism could also be exploited remotely if the attacker has been able to capture the ADMIN password for the BMC.

Supermicro is not the only vendor falling short on authentication, said the researchers:

Our research has uncovered vulnerabilities in the way that multiple vendors update their BMC firmware. These vendors typically leverage standard, off-the-shelf IPMI management tools instead of developing customized in-house management capabilities.

That said, it seems that weaknesses in Supermicro’s firmware have been detected as long ago as 2013. More recently, researchers have started worrying about the security of BMCs more generally.

Fixes

The solution is for server makers to implement authentication, which the researchers say is now part of Supermicro’s updating process for all new products. Customers using the X10 and X11 generation servers who have locked their firmware version should visit the support page for more advice or contact the company first.