Supermicro wraps crypto-blanket around server firmware to hide it from malware injectors

BMC software updates to check code signatures after researchers hit red alert


Researchers claim to have discovered an exploitable flaw in the baseboard management controller (BMC) hardware used by Supermicro servers.

Security biz Eclypsium today said a weakness in the mechanism for updating a BMC's firmware could be abused by an attacker to install and run malicious code that would be extremely difficult to remove.

A BMC is typically installed directly onto the motherboard of a server where it is able to directly control and manage the various hardware components of the server independent of the host and guest operating systems. It can also repair, alter, or reinstall the system software, and is remotely controlled over a network or dedicated channel by an administrator. It allows IT staff to manage, configure, and power cycle boxes from afar, which is handy for people looking after warehouses of machines.

Because BMCs operate at such a low level, they are also valuable targets for hackers.

In this case, Eclypsium says the firmware update code in Supermicro's BMCs don't bother to cryptographically verify whether or not the downloaded upgrade was issued by the manufacturer, leaving them vulnerable to tampering. The bug could be exploited to execute code that would then be able to withstand OS-level antivirus tools and reinstalls.

To do this, an attacker already on the data center network, or otherwise able to access the controllers, would need to intercept the firmware download, meddle with it, and pass it on to the hardware that will then blindly install it. Alternatively, a miscreant able to eavesdrop on and fiddle with internet traffic feeding into an organization could tamper with the IT team's BMC firmware downloads, which again would be accepted by the controller.

“We found that the BMC code responsible for processing and applying firmware updates does not perform cryptographic signature verification on the provided firmware image before accepting the update and committing it to non-volatile storage,” says Eclypsium.

“This effectively allows the attacker to load modified code onto the BMC.”

Two execs in a server room. Has to have happened some time heh. Photo by Shutterstock

Can we talk about the little backdoors in data center servers, please?

READ MORE

In addition to running malware code beneath the OS level, the researchers said the flaw could also be used to permanently brick the BMC or even the entire server. Even worse, a potential attack wouldn’t even necessarily require physical access to the server itself.

“Because IPMI communications can be performed over the BMC LAN interface, this update mechanism could also be exploited remotely if the attacker has been able to capture the admin password for the BMC,” Eclypsium warned.

“This requires access to the systems management network, which should be isolated and protected from the production network. However, the implicit trust of management networks and interfaces may generate a false sense of security, leading to otherwise-diligent administrators practicing password reuse for convenience.”

Fortunately, Eclypsium says it has already reported the bug to Supermicro, who responded by adding signature verification to the firmware update tool, effectively plugging this vulnerability. Admins are being advised to get in touch with their Supermicro security contacts to get the fix in place. ®

Narrower topics


Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022