Watch researchers remotely brick a server by corrupting its BMC and UEFI firmware

Attack is only a proof-of-concept, but one that can be as damaging as ransomware or disk-wiping malware.
Written by Catalin Cimpanu, Contributor on

In a proof-of-concept video published today, security researchers from Eclypsium have shown that firmware attacks can be just as dangerous and damaging as infections with ransomware or disk-wiping malware.

Their proof-of-concept attack is aimed at servers that feature a Baseboard Management Controller (BMC), a chip-on-chip system that allows for remote system management operations.

The attack portrayed in the video requires an attacker to gain access to a server beforehand, but researchers argue this isn't a big issue in today's software landscape where almost any software product is affected by a remotely exploitable vulnerability, and enterprises are plagued by password reuse and default credentials.

Also: Thousands of Jenkins servers will let anonymous users become admins

Once an attacker has a foothold on a system, the Eclypsium team says they can use the Keyboard Controller Style (KCS) interface to interact with the BMC.

The KCS, just like the BMC, is one of the many tools that are part of the Intelligent Platform Management Interface (IPMI), a collection of utilities usually found on servers and workstations deployed on enterprise networks, which allow administrators to manage systems from remote locations.

The KCS acts as a host-to-BMC interface, technically mimicking a keyboard, and provides an easy way to send commands from the local computer to the BMC, instead of relying on the BMC to receive commands from a remote management station. It is mostly used for debugging purposes, but it can also be weaponized for an attack like this.

Moreover, researchers say no special authentication or credentials are required to interact with the KCS interface, meaning that any compromise of a server grants an attacker a direct line to its firmware.

"In our demonstration, we use normal update tools to pass a malicious firmware image to the BMC over this interface," researchers told ZDNet. "No special authentication or credentials are required for this."

"This malicious BMC firmware update contains additional code that, once triggered, will erase the UEFI system firmware and critical components of the BMC firmware itself," they added. "These changes to the host and BMC will cause all attempts to boot or recover the system to fail, rendering it unusable. These firmware images cause all attempts to boot or recover the system to fail, rendering it unusable."

Eclypsium researchers told ZDNet that the results of this attack are near permanent unless system administrators get down to the bottom of things and realize what happened.

Must read

"Recovery would require opening each affected server and physically connecting to the chip to deliver new firmware, which is a very slow, technical process that is beyond the ability of most IT staff. The device is effectively bricked and unusable," Yuriy Bulygin, CEO and Co-founder of Eclypsium, told ZDNet via email.

"This represents a much more high-value attack than traditional wipers and ransomware," said Bulygin. "Organization's primary assets are their data center and cloud applications. This attack applies to both. The impact of bringing down a cloud deployment is potentially massive."

Earlier this year, Eclypsium researchers also disclosed two sets of vulnerabilities[1, 2] in Supermicro motherboards, affecting their BMCs.

The company also plans to publish a blog post on this attack later today that will be made available here.

Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

More cybersecurity coverage:

Editorial standards