New vulnerabilities mean it’s time to review server BMC interfaces
Two recently discovered vulnerabilities in widely used baseboard management controllers could give remote and local threat actors full control over servers.
The frequency and severity of security issues found over the years in the firmware of baseboard management controllers (BMCs) present in server motherboards highlight an often overlooked, yet critical area of IT infrastructure security. The latest addition to the growing list of flaws are two vulnerabilities in a widely used “lights-out” management interface used by different server manufacturers. When exploited together, they could provide remote and local attackers full control over impacted servers at a low and hard-to-detect level.
“The impact of exploiting these vulnerabilities includes remote control of compromised servers, remote deployment of malware, ransomware and firmware implanting or bricking motherboard components (BMC or potentially BIOS/UEFI), potential physical damage to servers (over-voltage / firmware bricking), and indefinite reboot loops that a victim organization cannot interrupt,” researchers from firmware security firm Eclypsium said recently in a report. “Lights out, indeed.”
BMCs are specialized microcontrollers that have their own firmware and operating system, dedicated memory, power, and network ports. They are used for out-of-band management of servers when their primary operating systems are shut down. BMCs are essentially smaller computers that run inside servers and allow administrators to perform maintenance tasks remotely like reinstalling operating systems, restarting servers when they are no longer unresponsive, deploying firmware updates, and so on. This is also sometimes referred to as lights out management.
Security researchers have warned about security issues in BMC implementations and the Intelligent Platform Management Interface (IPMI) specification they used for at least a decade. Vulnerabilities included hardcoded credentials and users, misconfigurations, weak or absent encryption, as well as code bugs like buffer overflows. Even though these management interfaces should operate on isolated network segments, hundreds of thousands have been found exposed to the internet over the years.
Last year, researchers found a malicious implant dubbed iLOBleed that was likely developed by an APT group and was being deployed on Hewlett Packard Enterprise (HPE) Gen8 and Gen9 servers through vulnerabilities in HPE iLO (HPE's Integrated Lights-Out) BMC that were known since 2018.
In 2018 attackers reportedly deployed a ransomware program called JungleSec on Linux servers by taking advantage of insecure IPMI interfaces that used default administrator credentials. In 2016, Microsoft reported that an APT group dubbed PLATINUM exploited Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) feature to set up a covert communication channel to transfer files. AMT is a component of Intel’s Management Engine (Intel ME), a BMC-like solution that exists in most Intel desktop and server CPUs.
Eclypsium researchers found and disclosed two new vulnerabilities in MegaRAC, a BMC firmware implementation developed by American Megatrends (AMI), the world’s largest supplier of BIOS/UEFI and BMC firmware. Server manufacturers that used AMI MegaRAC in some of their products over time include products include AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, NVidia, Qualcomm, Quanta, and Tyan.
This is not the first time Eclypsium found BMC vulnerabilities. In December 2022 the company disclosed five other vulnerabilities it identified in AMI MegaRAC, some of which allowed for arbitrary code execution via the Redfish API or provided SSH access to privileged accounts due to hardcoded passwords.
The two new vulnerabilities are also located in the Redfish management interface. Redfish is a standardized interface for out-of-band management that has been developed to replace the older IPMI.
One of the flaws, tracked as CVE-2023-34329 allows for attackers to bypass authentication by spoofing the HTTP request headers. MegaRAC’s Redfish implementation allows two modes of authentication: Basic Auth, which needs to be named in the BIOS, and No Auth which is meant to provide access without authentication if the requests are coming from the internal IP address or the USB0 network interface.
The researchers discovered that it’s possible to spoof the HTTP request headers to trick the BMC to believe that external communication is coming from the internal USB0 interface. If No Auth is enabled by default, this gives attackers the ability to perform privileged administrative actions through the Redfish API including creating new users.
This vulnerability is rated critical with a 9.1 CVSS score and is serious on its own. When combined with the second flaw, CVE-2023-34330, it’s even more dangerous. That’s because the CVE-2023-34330 flaw stems from a feature that is enabled by default for requests coming from the Host Interface: the ability to send POST requests that include actual code to be executed on the BMC chip with root privileges.
“When both of these vulnerabilities are chained together, even a remote attacker with network access to BMC management interface and no BMC credentials can achieve remote code execution by tricking BMC into believing that the http request is coming from the internal interface,” the researchers explained. “As a result, the attacker can remotely upload and execute arbitrary code, possibly from the Internet, if the interface is exposed to it.”
The potential attack scenarios are extensive due the power that BMCs have over the host system. For example, in an extortion scenario, attackers could leverage BMC functionality that shut down the system every few seconds in a loop, as well as block administrative access to the BMC, leaving administrators with a system state from which it would be very hard to recover considering that the BMC starts automatically when the system receives power. Attackers could send the same reboot command to all BMCs on the same management network or deploy implants on all of them.
Attackers could also deploy an implant for long-term espionage because BMCs provide remote control over the host OS and can even send keyboard events to the OS as if they were physically at the machine. Such actions would be impossible to detect or block by endpoint protection solutions. BMCs can also perform UEFI/BIOS updates so attackers could ship a rogue update that modifies UEFI settings or configurations.
Lateral movement to other servers via other BMCs is also possible as well as access to Active Directory credentials. The access can also be used to compromise guest OS images in a virtualized cloud environment.
Organizations should ensure that all remote server management interfaces (e.g., Redfish, IPMI) and BMC subsystems are on dedicated management networks and access is restricted to administrative users using zero trust architecture principles. Vendor documentation for BMC hardening should also be reviewed and any unsafe default configurations or built-in and hardcoded administrative accounts should be disabled. Firmware should always be kept up to date and monitored for unauthorized changes.
The US Cybersecurity and Infrastructure Security Agency (CISA) published guidance on hardening Baseboard Management Controllers as well as other types of management interfaces in general.A long history of BMC flawsTwo new flaws in AMI MegaRAC