back to article Can we talk about the little backdoors in data center servers, please?

Data centers are vital in this cloudy world – yet little-understood management chips potentially give hackers easy access to their servers in ways sysadmins may not have imagined. The components in question are known as baseband management controllers (BMCs). They are discrete microcontrollers popped into boxes by the likes of …

If an attacker has freedom of movement on your management network

the vendors may be correct in assuming you are screwed already.

It is however not straightforward to detect or disinfect from such an attack though, and this could be worse than the attack itself. Potentially rendering the hardware itself a risk and a scratch restore being insufficient.

It's an interesting vector, and anyone with their management networks exposed to the internet are doing the equivalent of leaving a truck full of new trainers unlocked in the middle of the street... (and that didn't end well either)

13
0

Re: If an attacker has freedom of movement on your management network

This vector is known publicly since 2011 when Russian scientist published a paper (originally in Russian) that Intel motherboards' BMCs have malicious hypervisor embedded. Plus, guys at Michigan University had research on that matter published in 2012. So, all about that see our papers and presentations on www.rubos.com

Sorry, too much to repeat all what we published. Enjoy the NEWS of 2011 - 2012 at Rubos, Inc. site!.

0
0
FAIL

So we spend so much time and effort securing our rented remote servers, only to have the hardware manufacturers leaving the backdoor wide open. Wonder if I can get a colo to host a box full of abacuses for me?

9
0
Silver badge

"an antiquated NEC CPU core that was popular in optical drives back in the day"

So what? Don't knock an IC just because it's old. It may be the perfect choice for the job. Plenty of Z80s still in use running vending machines and so on.

Anyway, iLO2 is obsolete, if you're running beige DL380s with the word Compaq on the front, you've got other problems to worry about.

11
0
Bronze badge
Linux

Servers based on OpenPOWER ship with OpenBMC (Linux kernel + standard userspace), and you can choose exactly what level of network stack you actually want on the box since you get full source and can modify at will (e.g. removing IPMI network support just means removing the package from the build). Try that with your typical closed source x86 or ARM BMC!

5
3

This is news?

7
0
Silver badge

"This is news?"

More problematic is PHBs who try to pretend this stuff doesn't exist and "turn it off".

Except, for the most part you can't, which means assumptions about not needing to firewall/segment/check for these things piggybacking on mainboard ethernet ports are invalid.

3
0
Silver badge

beancounters

Best case: So some PHB gets a bonus for reducing costs by dropping isolated management LAN and using a VPN across internet. We all trust VPNs, not.

Usual case: some PHB/cost cutting designer puts ILOMs on same LAN as everything else.

Worst case: No-one even knows the ILOM is there with default passwords and accounts. Yep, I also am a pessimist because it is the most rational option. Dont need electrical stimulation, just the irritation of dealing with what passes as modern PMs, bean counters and CEOs and their ilk.

8
0
Silver badge
Unhappy

Talk about unintended consquences!

And all in the name of convenience. Maybe it's time to consider using totally dumb hardware, and absolutely no closed software...

Oh look, a flying pig.

10
0
Silver badge
Boffin

Of course, data center managers aren’t stupid,

True, but how many installs are undertaken by data centre managers directed by properly architected security policies and how many are installed by “the IT guy or girl” who is already run off their feet keeping up with the latest business changes to the company technology. Substantial chance for failed configuration or open access even if only within the company network.

6
0
Silver badge
Unhappy

Thanks for depressing me first thing in the morning, El Reg....

It's not your fault, its just that in the name of convenience and ease-of-management we have inserted SO MANY vulnerabilities into IT, which was already complicated to secure in the first place due to the myriad of hardware platforms, operating systems, network architectures, outsourced services, internet-facing devices, etc.

I guess that the prudent thing for an IT architect would be to assume that any technology or management tool that they are not intimately familiar with is probably insecure, and build in layered-defenses in case that probability is born out.

9
0
Anonymous Coward

upvoted and corrected

"I guess that the prudent thing for an IT architect would be to assume that any technology or management tool t̶h̶a̶t̶ ̶t̶h̶e̶y̶ ̶a̶r̶e̶ ̶n̶o̶t̶ ̶i̶n̶t̶i̶m̶a̶t̶e̶l̶y̶ ̶f̶a̶m̶i̶l̶i̶a̶r̶ ̶w̶i̶t̶h̶ is probably insecure, and build in layered-defenses in case that probability is born out."

FTFY

6
0
Gold badge
FAIL

"s a lot better in terms of security with firmware that follows secure coding best practices."

Like f**k

This stinks of the "Security by obscurity" approach.

Intels IME looked like a direct cut and paste of both the hardware and the software

IHMO this, being (in principle) small but highly critical should be written with the very sharpest methods for righting provably correct software.

It's not running the core load of the processor. Speed is not that vital but minimal vulnerability (I think zero vulnerability is impossible but then again Shuttle software, about 1MB in size, didn't find one during live operation over 30+ years) is.

I don't see any chip designer or mfg having the skills or the commitment to do that.

2
0
Silver badge
Paris Hilton

Dumb question

If you stick chewing gum in the onboard ethernet port(s) does that mitigate, albeit with the loss of remote management facilities?

1
0

Really OLD NEWS at RedHat

Well, it has been University of Michigan research around 2012 about problems with system management software, and Russian Scientist found spyware hypervisor in Intel motherboards BMC around 2008, and we talked about all this stuff twice at DeepSec 2014 and 2016... So, hwy it is a NEWS? People, search Inet for news and read what was published. Well, see all related research and presentations at www.rubos.com

Enjoy the article about malicious hypervisor embedded in Intel motherboards in English. Nobody knows that Intel has spyware in its management software, or at least had?

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018