Sign in / up

back to article You dirty DRAC: IT bods uncover Dell server firmware security slip

A pair of IT professionals have uncovered a potentially serious flaw in the hardware management tools for older Dell servers. The upshot is that it is possible for a rogue system administrator, or someone who has obtained their network access, or miscreants in the supply chain, to reprogram vulnerable PowerEdge motherboard …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. DCFusor

    I don't understand

    If this "root of trust" thingie is something they add as an upgrade...how do they make it forever not-rewriteable so that the same hacker can't just change the key to make the malware check out, or simply remove the checking altogether, since as described, this "root of trust" seems to be firmware/key in writeable - and updateable - memory.

    If you're root, there's not much that's impossible if the storage can be written...maybe their fix only broke one existing vector, seems more likely to me.

    Security is HARD.

    4 0 Reply
    1. doublelayer Silver badge
      Reply Icon

      Re: I don't understand

      I assume the key and a tiny bootloader checker is hardcoded into something non-writeable, so the code must be signed with the known key and checked before it runs. Therefore, new code can't be installed unless it's signed with the key, and without said new code, you can't ignore the key. Not perfect, but it will probably work. It would be difficult enough to run the previous exploit, limiting the number of people who have sufficient access, so this further restriction will probably reduce the likelihood that something of the kind will happen. Hopefully, dell has really good security on that key.

      2 0 Reply
  2. oiseau
    Facepalm

    ... malware can survive operating system reinstallation, hard disk wiping and replacement, and motherboard BIOS rewrites. It can be virtually undetectable, and can snoop on and tamper with whatever happens on the compromised machine.

    My Sun workstation has something that matches that very same description: the Intel 82X38/X48 Express Management Engine Interface Controller.

    And it's even better as you don't need physical access to the rig and it won't be disabled by disabling it in BIOS.

    2 0 Reply
  3. Marty McFly Silver badge
    Terminator

    CIA? NSA? Not a bug, a 'feature'?

    Somewhere in the back of my mind I recall a story years ago about CIA/NSA types intercepting hardware bound for foreign destinations and swapping out chips. Opening the boxes while in transit, back of a semi-truck, airplane cargo hold, resealing the boxes, that kind of a thing.

    My tin-foil hat side suggests this could simply be an undocumented 'feature' built in to the iDRAC to facilitate easy hardware tampering between manufacturer and customer. No more chip swapping. Just flash in your CIA customized iDRAC code and the magic happens.

    8 0 Reply
    1. doublelayer Silver badge
      Reply Icon

      Re: CIA? NSA? Not a bug, a 'feature'?

      I'm as paranoid as the next security person but somehow I think that the tool that does this won't be something this version-specific. The espionage people wouldn't want something to break just because a new update was released. Also, they'd have trouble intercepting servers manufactured outside their borders between factory and customer. Not that they couldn't do it, but it would be harder to do so to a lot of people at once.

      3 1 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: CIA? NSA? Not a bug, a 'feature'?

        "Also, they'd have trouble intercepting servers manufactured outside their borders between factory and customer."

        Oh? What about at customs?

        4 1 Reply
        1. doublelayer Silver badge
          Reply Icon

          Re: CIA? NSA? Not a bug, a 'feature'?

          It wouldn't go through customs. A server manufactured in China/Taiwan gets sent to Australia and used for something $agency wants to receive, and it hasn't gone through a U.S. controlled customs. You could intercept it at the factory, or perhaps get the Australians to help you, but you can't get every one of them. And if the Australians will do that one, do you have the same relationship with every other country that server could be going to? Especially if the path is China->Iran, it won't be so easy for you.

          0 0 Reply
          1. Charles 9
            Reply Icon

            Re: CIA? NSA? Not a bug, a 'feature'?

            "It wouldn't go through customs. A server manufactured in China/Taiwan gets sent to Australia and used for something $agency wants to receive, and it hasn't gone through a U.S. controlled customs."

            Explain. What kinds of things DON'T go through US customs upon entering the US unless they US trust the intermediary? Isn't that exactly why there are limited Ports of Entry?

            As for any other country, wouldn't that be the job of their Customs or equivalent to check for contraband?

            0 1 Reply
  4. Nate Amsden

    used to be a time

    Where people shunned the idea of dealing with signed code with hardware as it limited your ability to mess with it (one big example which was more of a licensing thing than a signing thing was Tivo).

    I also remember several communities years ago the whole concept of TPM was quite a scary (I include myself in the list of people that feared TPM - and I still don't like it, fortunately in most cases it can be kept disabled without any issue(AFAIK I've never had a system with it enabled), though I think perhaps in some products like MS Surface (guessing) it may be forced enabled.

    Nowadays it seems sad that everything that allows you to install unsigned code which previously was a good thing is now an evil thing because it's not "secure".

    sad.

    5 0 Reply
    1. Pascal Monett Silver badge
      Reply Icon

      Well it was previously a good thing when access to the hardware was much more limited, the Internet was non-existant and malware was limited to making your computer say hi on boot on a specific day.

      Nowadays malware is much more dangerous, and a disgruntled employee with server room access is practically one web search away from downloading code that can hurt your business, so yes, being able to install unsigned hardware code is now insecure.

      0 0 Reply
      1. Charles 9
        Reply Icon

        I guess a lot of it depends on perspective. Code signing, like a lot of other things, is dual-use. Locking the firmware prevents a lot of people from monkeying with it. That happens to include malware writers...and you.

        3 0 Reply
  5. tcmonkey
    Headmaster

    Baseband Management Controller

    That ought to be "BaseBOARD Management Controller", Shirley?

    2 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Baseband Management Controller

      Oddly (or not, I guess), baseband processors for wifi gear are somewhat analogous, including similar security concerns...

      0 0 Reply
  6. Potemkine! Silver badge

    So, except checking regularly that the iDrac version doesn't change, what can a sysadmin do once the servers's IDRAC access has been well restricted?

    0 0 Reply
    1. phuzz Silver badge
      Reply Icon

      Well the obvious step would be to only connect the DRAC's ethernet port to a dedicated management network.

      That said I've never worked anywhere where the management network was completely locked down and air gapped, but at least an attacker would have to find a way to get onto an admin's machine first.

      0 0 Reply
      1. Charles 9
        Reply Icon

        Which, as the article noted, an Evil Insider may well have the necessary trust. It's very hard to beat an Evil Insider because they build up their trust prior to attacking.

        2 0 Reply
        1. J. Cook Silver badge
          Reply Icon
          Thumb Up

          Indeed; there have been more than a few stories published on this site about rouge sysadmins screwing over their former employers after getting walked out the door for whatever reason (usually things that would have been major "DO NOT HIRE" flags, or things that could have been corrected early before they were allowed to fester).

          0 0 Reply
  7. DelM

    Scooped?

    El Reg, did you get scooped? Or just missed this for something shinier at the time?

    https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like