NSA and CISA have released a new guide to Baseboard management controllers (BMCs). BMCs are common components of server-class computers and malicious cyber actors could use these controllers’ capabilities to compromise industry and government systems.
“Implementation of effective security defences for these embedded controllers is frequently overlooked,” said Neal Ziring, the Technical Director for NSA’s Cybersecurity Directorate. “The firmware in these controllers is highly privileged. Malicious actors can use the firmware’s capabilities to remotely control a critical server while bypassing traditional security tools.”
Organisations need to take action to secure servers with BMCs. To assist network defenders in this, NSA and the Cybersecurity and Infrastructure Security Agency (CISA) jointly released the Cybersecurity Information Sheet, “Harden Baseboard Management Controllers.” The guidance includes recommendations and mitigations for network defenders to secure their systems.
A BMC is an embedded component that runs independent of the server’s operating system (OS). Once powered up, a BMC’s capabilities persist even if the server is shut down.
BMCs are beneficial for system administrators as they provide remote access to servers’ resources for network configuration and management. In addition, BMC enterprise management solutions allow administrators to handle large numbers of servers remotely. Cyber actors can abuse these capabilities in a variety of ways, including to:
- Disable security solutions, such as Trusted Platform Module (TPM) and Unified Extensible Firmware Interface (UEFI) Secure Boot.
- Manipulate data on any attached storage media.
- Propagate implants or disruptive instructions across a network infrastructure.
NSA and CISA recommend system owners and network defenders implement the mitigations listed in the report, including:
- Hardening BMC credentials and configurations
- Monitoring BMC integrity and updating BMCs
- Establishing virtual network separation to isolate BMC network connections
