Researchers have sounded a warning about the security of Baseboard Management Controllers (BMCs) – a critical component that datacentres depend on to manage servers.
According to Eclypsium, the BMC used by one server brand, Supermicro, has an insecure updating process that could allow an attacker to modify its firmware or run malware.
Affecting X8 through X11-generation systems, the BMC code wasn’t carrying out cryptographic signature verification before accepting firmware updates, the company said.
BMCs are like powerful computers-within-the-server, complete with their own CPU and memory, that remain turned on even when the server is not being used (not dissimilar to the Intel Management Engine found inside home computers).
When compromised, an attacker would be able to sneak their own modified firmware onto a server – something that would give admins a very bad day at the office.
This is the privileged layer used to issue server wipes and OS reinstalls, which would hand the same power to attackers to take over the system, or to ‘brick’ it as part of a denial-of-service attack, or possibly move sideways to other parts of the network.
It would also be incredibly difficult to detect, let alone stop once it had started – the attacker would have loaded their own firmware after all.
Read more: Naked Security by Sophos