You dirty DRAC: IT bods uncover Dell server firmware security slip

A pair of IT professionals have uncovered a potentially serious flaw in the hardware management tools for older Dell servers.

The upshot is that it is possible for a rogue system administrator, or someone who has obtained their network access, or miscreants in the supply chain, to reprogram vulnerable PowerEdge motherboard controllers with malicious code. This malware can survive operating system reinstallation, hard disk wiping and replacement, and motherboard BIOS rewrites. It can be virtually undetectable, and can snoop on and tamper with whatever happens on the compromised machine.

In order to exploit this, an attacker has to be determined, and has to have extraordinary access, either internally as a data center administrator or has to get their hands physically on the hardware at some point, either on site or while shipping it from the factory to the customer. As such, it is not a world-ending bug. However, it's something to consider, at least, especially if you're handling valuable corporate secrets.

Here are the details: Jon Sands and Adam Nielsen discovered and reported via Serve The Home a bug dubbed iDRACula because it involves Dell's iDRAC service. iDRAC is software that runs on the baseband management controller (BMC) inside a PowerEdge system independent of whatever hypervisor, operating system, and applications are running.

It has full control over the hardware. Administrators can connect over the network to a server's iDRAC to diagnose and fix up any problems. It's a lot easier to fire up a web browser, and remotely power cycle the box or reinstall its OS, than locate, pull out, repair, and re-rack a system by hand, for instance.

The weakness is said to be present in 12th and 13th Dell EMC PowerEdge generations. The latest machines, 14th-gen and up, are not vulnerable because they introduced a root-of-trust in the BMC processor, meaning only Dell-authorized code can run on the controller, and not junk injected by hackers.

Essentially, on a vulnerable box, an attacker can downgrade the iDRAC firmware from version 8 to an older version that has a known vulnerability in it, and exploit this to gain root access to the small instance of Linux running on the BMC. This can be leveraged to smuggle whatever malware is needed into the iDRAC firmware storage. Then, the hacker can upgrade the software to the previous version, keeping the spyware intact. To system administrators, the box appears to be normal, and there's no sign of dodgy code running on the BMC.

In other words, there's nothing stopping people from downgrading the firmware to a known vulnerable version, and nothing stopping them from installing modified firmware. If this can't be done remotely, it is possible to do this physically: popping open the lid, and reprogramming the iDRAC firmware storage chip with arbitrary code. The BMC processor doesn't check to see if the iDRAC code is fully legit and untampered with or not. With the 14th-generation and onwards, running iDRAC version 9, a root-of-trust is used to ensure bad stuff isn't executed, because it won't be digitally signed off by Dell.

Come on folks, put some effort in

Dell stressed this is difficult to exploit in practice.

"We were made aware by the individual of potential Dell EMC iDRAC vulnerabilities," a Dell spokesperson told El Reg this week.

"Applied remotely, with administrative rights for iDRAC, he had downloaded an older firmware version with a known vulnerability and created root user access. This known vulnerability has already been addressed in subsequent firmware releases. The second potential vulnerability was through direct physical access with short circuit jumper cables.

"These potential vulnerabilities require either physical access or current (and valid) administrative rights. Additionally, these are not applicable to Dell EMC iDRAC9 and 14th generation PowerEdge servers, Dell EMC’s latest offering which became available in mid-2017. We always recommend our customers maintain up-to-date iDRAC firmware and isolate the management network with technologies, such as firewalls, and limit access to authorized server administrators only."

The report also brings up an interesting point about physical access. While an outside attacker would have a hard time getting into a server room to tamper with a machine, a rogue company insider or dodgy person in the supply and distribution chain could find the opportunity to rewrite the firmware in such a way to silently and secretly spy on the machine.

This is not the first time the security of server BMCs have been called into question. Last month, researchers discovered similar vulnerabilities in the BMC hardware used in Supermicro servers, prompting the company to release an update. ®