zlacker

>>zdw+(OP)
"If a potential attacker already has administrative access to the BMC..."

Then you've already lost.

The BMC needs to be ideally on a physically isolated network, or at least a separate one that has no route from the outside nor on the machine itself.

>>SoftTa+K5b
That’s a cop-out. It should be the case that even administrator access should not be abusable to implant permanent backdoors.

Anything that makes privileges escalation exploits more damaging is a real problem. I’m getting tired of how these are being dismissed as if admin access should mean that you can ignore any security issues. There are things that even admin accounts should not be able to change at the hardware level, or if they can they must be reversible in the future by another user with admin access.

> The BMC needs to be ideally on a physically isolated network, or at least a separate one that has no route from the outside nor on the machine itself.

This is good practice but it shouldn’t excuse poor security at the hardware level.

Supermicro motherboards also commonly default to having a feature that bonds the BMC network interface to one of the main NICs if you don’t plug a cable into the BMC interface. It’s common for people to be surprised that their BMC is exposed on their main network because they didn’t plug in a cable on the BMC NIC port at all.

>>Aurorn+S7b
I don't disagree, but if you have admin access to the BMC you can access the console, reboot the machine into single-user mode or even into another OS entirely, and then implant any malware you want, wipe the storage, etc.

Some of the Supermicro boards don't even have a separate BMC NIC, the only choice is to bond it to one of the main NICs or sacrifice one of them to be BMC only. I try to pay attention to that now after being surprised by that once on some servers we bought.

>>SoftTa+D8b
> I don't disagree, but if you have admin access to the BMC you can access the console, reboot the machine into single-user mode or even into another OS entirely, and then implant any malware you want, wipe the storage, etc.

Yes, all of which can be reversed by another admin in the future. That is expected.

It should not be the case that getting admin access one time can result in modifying the hardware in a way that can’t be reversed by future admin, short of physically reflashing the chip on the board.

>>Aurorn+Sbb
That is believe it or not true for nearly every computer on the planet.

If you have admin on windows you can flash the bios on regular motherboards with firmware that refuses to change.

>>buckle+bkb
Huh? I don’t understand what you are getting at. Every PC I’ve had uses a very simple protocol for bit banging new firmware.

>>adastr+JHb
Which only worked because the existing firmware let's it.

>>buckle+0ec
Flashing the EEPROM doesn’t involve the firmware.

>>adastr+dfc
Who do you think bit bangs the EEPROM?

>>labcom+qic
On some boards you can access can reconfigure GPIO pins of the chipset and bitbang SPI from the application processor (aka your normal x86_64 CPU) without firmware support.

>>crest+ozc
Isn't the firmware ultimately in charge of those pins, and able to block access to your OS if it chooses to?

>>Dylan1+3Re
Depending on the implementation, kinda, but maybe not in the way you are thinking.

More generally, when you get down to the bottom of the pile of elephants, you are requesting some software currently running on your computer to write some bits to some kind of storage medium.

But there is no law of physics that says the software must to do as you ask! If the software is malicious, it can refuse. It could even pretend that it updated the bits but not actually do so.

"Oh, but I booted into $OTHER_PROGRAM and it writes the bits!"

Maybe. But how do you know that the boot loader faithfully loaded it? You don't. Maybe the boot loader is malicious and patches your firmware updater so that it won't actually write new firmware.

If you squint and tilt your head, it kinda looks like Ken Thompson's "Reflections on Trusting Trust".