720-891-1663

Return to list of client alerts

Yet Another Supply Chain – Multi Vendor Firmware Attack

This is getting old.

I have written about a number of UEFI bugs that allow an attacker to compromise a system. This is similar, but worse. As a reminder, UEFI is the firmware that replaced the BIOS in all computers. The UEFI validates that the software that is being loaded has not been modified – AKA compromised, among many other services.

This attack doesn’t even require an operating system to be installed.

This is the ultimate “cross-platform” attack. Mac – yes. Windows – yes. Linux – yes. BSD Unix – yup, that too. All it requires is hardware with bug in it.

You are probably wondering who makes this vulnerable hardware. That is simple:

AMD.

Ampere Computing.

ASRock.

Asus.

ARM.

Dell EMC.

Gigabyte.

HP Enterprise.

Huawei.

Inspur.

Lenovo.

NVidia.

Qualcomm.

Quanta.

Tyan.

And probably others. It doesn’t mean that every product these companies made is vulnerable, just some of their products. But, maybe all.

So what is the “problem”.

Most high end servers have a computer hidden inside the computer that the user sees. Dell calls them their DRAC for Dell Remote Access Controller. It allows IT admins to control a computer, even if it is powered off – as long as it is plugged in. HP calls theirs integrated Lights Out (iLO). Generically they are called Baseband Management Controllers or BMC.

We have seen other BMCs with bugs. Supermicro in 2019, for example. But that only affected one maker of computer motherboards. IBM calls them Planar Boards to be politically correct.

This affects many manufacturers and many models.

One small bit of good news.

Hopefully no one is stupid enough to expose their BMCs directly to the Internet. Hopefully not any reader of this post, for sure.

That means that the hacker needs to compromise at least one computer somewhere in your network in order to pull off this feat. I am sure that every single one of your computers and users is as secure as Fort Knox. Not likely.

The attack allows the hacker to run code as sysadmin, open a reverse shell to a network of the hacker’s choice and scamper freely all over the family jewels. The attack is rated 9.9/10.0. Whew. At least it is not a 10.

The second bug is an attack on hard coded credentials for BMC user 0. If the admins didn’t change the default BMC user 0 then it is game over. Rate this one 8.3.

The next bug is “only” rated 7.5. This allows a hacker to perform a user enumeration of the BMC and perform a password reset.

Of course, all of you reading this regularly patch your baseboard management controller software on all of your servers – including the ones in the cloud – and also change or disable BMC user 0.

This is not something Microsoft can do because this is way below the operating system. These patches come from your computer vendor.

If you need help, please contact us.

Credit: CSO Online