Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

12/19/2018
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
0%
100%

How to Remotely Brick a Server

Researchers demonstrate the process of remotely bricking a server, which carries serious and irreversible consequences for businesses.

Attackers with access to your server holds your company in their hands – and it's not hard for them to abuse their power and brick the server from anywhere, researchers report.

Most people view firmware attacks, and other attacks that cause permanent damage, as physical in nature. Analysts at Eclypsium sought to demonstrate how it's possible to remotely brick a server and disrupt infrastructure by exploiting vulnerabilities in the baseboard management controller (BMC) and system firmware. The result would spell enterprise disaster.

The idea of bricking systems is not new, says John Loucaides, vice president of engineering at Eclypsium. While the concept has been around for a while, and security experts have discovered the vulnerabilities that could lead to this level of compromise, few have shown it. Eclypsium's goal in documentation published today is to help improve understanding of the remote attack vector, which can be performed at scale with enormous potential damage.

"It's a fairly significant impact," Loucaides points out. Recovery for most malware involves wiping affected systems and restoring good data. Recovery for this type of attack would require opening each affected server and physically connecting to deliver new firmware. It's a slow, technical process that's beyond the abilities of most IT staff and current enterprise systems, Loucaides explains. "This is an area that normal security technologies are missing," he says.

It doesn't take a sophisticated actor to pull this off, he notes. Many people will think of this as a nation state-level attack, he continues, but open source toolkits exist on the Internet that can give attackers the access they need to render a target system inoperable. Eclypsium's demonstration marks the first time it's using this specific method and technique, and it emphasizes the low barrier to entry for launching a successful attack of this nature.

Similar threats have been seen in the wild, Loucaides explains. Attackers have replaced server components with corrupted firmware, for example, or firmware that doesn't work. Eclypsium's method, which leverages past BMC research, bricks a server by remotely exploiting a BMC. If you're not familiar, the BMC is an independent computer within the server. It's used to remotely configure the system without relying on the host operating system or applications.

How It Plays Out
Step one is getting a foot in the door. "The first thing we're doing is assuming you have some sort of compromise," Loucaides explains. Perhaps the system got infected with malware; perhaps credentials were lost and picked up by the wrong person.

In Eclypsium's demonstration, researchers then used normal update tools to pass a malicious firmware image to the BMC. No special authentication or credentials are required to do this, and the firmware update contains additional code which, once triggered, erases the UEFI system firmware and essential components of the BMC firmware itself, analysts say in a blog.

Why target the BMC? You could target any part of the server and get a similar result, says Loucaides, but the BMC "is the most understandable and the most obvious." In a ransomware attack or other major-impact scenario, the BMC is used to recover the system.

Step three is when the BMC boots to the attacker supplied image. Because the BMC handles system management and recovery, it can install components into any part of the system. Researchers could use the malicious capability they installed in the BMC to corrupt system firmware; by corrupting the BMC, they leave no path for a system operator to recover it.

There is an arbitrary amount of time between stages three and four, in which the code executes, Loucaides explains. Attackers could launch malicious code as soon as they gain access via credential compromise, or they could install a component in the BMC and leave it there for as long as they like. "It doesn't all have to happen at the same time," he adds. The final payload could be triggered by a timer or external command and control.

The window between stages three and four depends on the attacker's goals. If they're going for maximum damage and disruption, Loucaides says, he would likely want to take his time and infect as many components as possible before bringing it all down at once. In step five, the BMC reboots the server, which is now unusable.

What You Can Do
Existing security defenses don't focus on firmware or hardware, says Loucaides, but there are ways to stop this type of attack. It starts with preventing initial compromise, which goes back to basic cyber hygiene: protecting credentials, for example, and using multifactor authentication.

"You can't do everything perfectly," he admits. "Something is going to go wrong. The trick is to be assessing the integrity of different components in your system."

Updates get plenty of attention at the application and operating system level, he continues, but not many people pay attention to firmware updates. Security teams should be running scans and monitoring infrastructure for anomalies, and interrupting the process before it's complete.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd