Every modern server is equipped with a baseboard management controller (BMC) that enables its remote management. A BMC is essentially a computer within a computer with its own memory, firmware, graphics, and, like any other computer, potential vulnerabilities. Last week it was discovered that Dell EMC’s proprietary iDRAC (integrated Dell Remote Access Controller) hardware/software system used on the 13th Generation PowerEdge servers (and older) is vulnerable to an attack that allows the unauthorized replacement of the BMC's firmware, swapping out the stock firmware with a malicious one.

The vulnerability allows the firmware swap to take place with either local or remote access. With physical access to the server, it's possible to replace the firmware even without valid login credentials. Meanwhile it's also possible to perform the attack remotely, though in that case it does require a valid login.

The vulnerability of iDRAC on previous-gen servers implicates swapping the signed firmware with a different firmware package, evading several defenses that Dell EMC has in place for its prior-gen machines. Once a perpetrator gains access to BMC firmware and servers, they can load and run whatever code they need, reboot machines when they perform critically important tasks, or steal secret information.

What is particularly important is that BMC firmware can be altered before servers are deployed and even made. Companies like Google and Microsoft have implemented sophisticated hardware root of trust chain methods in order to prevent unauthorized access (both remote and physical). Dell EMC has added a similar tech to its 14th Generation PowerEdge machines, but previous-gen iDRAC-enabled servers are still vulnerable. Furthermore, one thing to keep in mind is that Dell EMC still ships its 13th Gen PowerEdge machines to interested parties.

Dell EMC admits that certain versions of iDRAC firmware are vulnerable, but claims that the latest revisions have addressed the issue and modern machines are as secure as possible. At the same time, a physical swap of an exposed BMC, and usage of weak passwords for access still represent a threat for the industry in general

Related Reading:

Source: ServeTheHome

Comments Locked

2 Comments

View All Comments

  • Frinkeldoodle - Wednesday, October 3, 2018 - link

    To be honest, if your BMC is accessible to the public internet, then you're gonna get what's coming to you - they're notoriously insecure in general. And if your server is physically accessible to a malicious party, then it's pretty much game over anyways.
  • GreenReaper - Thursday, October 4, 2018 - link

    BMCs don't seem to be treated as something which needs regular and ideally automated updates, when in fact they have web servers, SSH and suchlike which absolutely require it.

    The assumption seems to be that the owners will do it manually on a regular basis, but with the numbers and variety of servers out there this is unrealistic - certainly the ones we lease are often well out of date, and this is from a reputable provider.

    It doesn't help that some manufacturers, seeing security updates as a cost centre, have put up financial barriers to keeping servers up to date in the form of annual service subscriptions. Usually this hasn't been a problem for critical security issues, but there have been a few cases where I've had to hunt down RAID controller firmware on FTP servers.

Log in

Don't have an account? Sign up now