Thousands of enterprise servers are running vulnerable BMCs, researchers find – Reseller News

Credit: Dreamstime

Having the ability to remotely manage and monitor servers even when their main operating system becomes unresponsive is vital to enterprise IT administrators. All server manufacturers provide this functionality in firmware through a set of chips that run independent of the rest of the server and OS. These are known as baseboard management controllers (BMCs) and if they’re not secured properly, they can open the door to highly persistent and hard-to-detect rootkits.

Over the years, security researchers have found and demonstrated vulnerabilities in the BMC implementations of different server manufacturers and attackers have taken advantage of some of them. One recent example is iLOBleed, a malicious BMC implant found in the wild by an Iranian cybersecurity company that targets Hewlett Packard Enterprise (HPE) Gen8 and Gen9 servers, but this is not the only such attack found over the years.

According to an analysis by firmware security firm Eclypsium, 7,799 HPE iLO (HPE’s Integrated Lights-Out) server BMCs are exposed to the internet and most do not appear to be running the latest version of the firmware. When other vulnerabilities were found in the BMC implementation of Supermicro servers in 2019, more than 47,000 publicly exposed Supermicro BMCs from over 90 different countries were exposed. It’s safe to say that across all server vendors, the number of BMC interfaces that can be attacked from the internet is in the tens or hundreds of thousands.

“BMC vulnerabilities are also incredibly common and often overlooked when it comes to updates,” the Eclypsium researchers said in a new blog post following the iLOBleed reports. “Vulnerabilities and misconfigurations can be introduced early in the supply chain before an organisation ever takes ownership of a server. Supply chain issues can still exist even after deployment due to vulnerable updates or if adversaries are able to compromise a vendor’s update process. Ultimately, this creates a challenge for enterprises in which there are many vulnerable systems, very high impacts in the case of an attack, and adversaries actively exploiting the devices in the wild.”

The iLOBleed implant

HPE’s iLO technology has existed in HPE servers for over 15 years. It’s implemented as an ARM chip that has its own dedicated network controller, RAM and flash storage. Its firmware includes a dedicated operating system that runs independently of the server’s main operating system. Like all BMCs, HPE iLO is essentially a small computer designed to control a larger computer — the server itself.

Administrators can access iLO through a web-based administration panel that’s served through the BMC’s dedicated network port, or via tools that talk with the BMC over the standardised Intelligent Platform Management Interface (IPMI) protocol. Admins can use iLO to turn the server on and off, tweak various hardware and firmware settings, access the system console, reinstall the main operating system by attaching a CD/DVD image remotely, monitoring hardware and software sensors and even deploy BIOS/UEFI updates.

The iLOBleed implant is suspected to be the creation of an advanced persistent threat (APT) group and has been used since at least 2020. It is believed to exploit known vulnerabilities such as CVE-2018-7078 and CVE-2018-7113 to inject new malicious modules into the iLO firmware that add disk wiping functionality.

Once installed, the rootkit also blocks attempts to upgrade the firmware and reports back that the newer version was installed successfully to trick administrators. However, there are ways to tell that the firmware was not upgraded. For example, the login screen in the latest available version should look slightly different. If it doesn’t, it means that the update was prevented, even if the firmware reports the latest version.

It’s also worth noting that infecting the iLO firmware is possible if an attacker gains root (administrator) privileges to the host operating system since this allows flashing the firmware. If the server’s iLO firmware has no known vulnerabilities, it is possible to downgrade the firmware to a vulnerable version. On Gen10 it is possible to prevent downgrade attacks by enabling a firmware setting, but this is not turned on by default and not possible on older generations.

“Attackers can abuse these [BMC] capabilities in a variety of ways,” the Eclypsium researchers said. “iLOBleed has demonstrated the ability to use the BMC to wipe the disks of a server. The attacker could just as easily steal data, install additional payloads, control the server in any way, or disable it entirely. It is also important to note that compromising physical servers can put not only workloads but entire clouds at risk.”


Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.