Two key US cyber security agencies are warning enterprises that they need to pay better attention to their baseboard management controllers (BMCs).
The Cyber and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have teamed up to jointly publish a BMC hardening guide [pdf].
The BMC is a specialised processor that provides remote monitoring and management of hosts like servers.
Accessible over a network connection, it monitors sensor hardware, BIOS and UEFI firmware, and provides console access to power cycle the host and read its logs.
That puts the BMC in a position of considerable trust, and makes vulnerabilities such as those seen in American Megatrends and Intel BMCs high-priority events.
As the CISA/NSA guide states, “BMC firmware is highly privileged, executes outside the scope of operating system (OS) controls, and has access to all resources of the server-class platform on which it resides.
“It executes the moment power is applied to the server. Therefore, boot to a hypervisor or OS is not necessary as the BMC functions even if the server is shutdown.
“A vulnerable BMC broadens the attack vector by providing malicious actors the opportunity to employ tactics such as establishing a beachhead with preboot execution potential.
“Additionally, a malicious actor could disable security solutions such as the trusted platform module (TPM) or UEFI secure boot, manipulate data on any attached storage media, or propagate implants or disruptive instructions across a network infrastructure.”
Protections security administrators should apply including setting and protecting strong BMC credentials; and allowing access only over separate VLAN connections, accessible only via administrative endpoints.
If a vendor publishes a BMC hardening guide, it should be implemented, and administrators should establish a routine to check that their BMC software and firmware are the most current patch level, the agencies advised.
BMC integrity monitoring is also recommended, with the guide noting that “some BMCs report integrity data to a root of trust (RoT).”
“The RoT could take the form of a TPM, dedicated security chip or coprocessor (multiple trademarked names in use), or a central processing unit (CPU) secure memory enclave. Monitor integrity features for unexpected changes and platform alerts,” they advised.
Enterprises should also make sure that sensitive workloads are only executed on hardened devices, which means moving them off older hosts that don’t support BMC hardening.
Enterprises should also use available firmware scanners.
Finally, the guide states, “do not ignore BMCs”. In particular, enterprises should “treat an unused BMC as if it may one day be activated.”
About Author
