Application Security

12/19/2018
04:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

How to Remotely Brick a Server

Researchers demonstrate the process of remotely bricking a server, which carries serious and irreversible consequences for businesses.

Attackers with access to your server holds your company in their hands – and it's not hard for them to abuse their power and brick the server from anywhere, researchers report.

Most people view firmware attacks, and other attacks that cause permanent damage, as physical in nature. Analysts at Eclypsium sought to demonstrate how it's possible to remotely brick a server and disrupt infrastructure by exploiting vulnerabilities in the baseboard management controller (BMC) and system firmware. The result would spell enterprise disaster.

The idea of bricking systems is not new, says John Loucaides, vice president of engineering at Eclypsium. While the concept has been around for a while, and security experts have discovered the vulnerabilities that could lead to this level of compromise, few have shown it. Eclypsium's goal in documentation published today is to help improve understanding of the remote attack vector, which can be performed at scale with enormous potential damage.

"It's a fairly significant impact," Loucaides points out. Recovery for most malware involves wiping affected systems and restoring good data. Recovery for this type of attack would require opening each affected server and physically connecting to deliver new firmware. It's a slow, technical process that's beyond the abilities of most IT staff and current enterprise systems, Loucaides explains. "This is an area that normal security technologies are missing," he says.

It doesn't take a sophisticated actor to pull this off, he notes. Many people will think of this as a nation state-level attack, he continues, but open source toolkits exist on the Internet that can give attackers the access they need to render a target system inoperable. Eclypsium's demonstration marks the first time it's using this specific method and technique, and it emphasizes the low barrier to entry for launching a successful attack of this nature.

Similar threats have been seen in the wild, Loucaides explains. Attackers have replaced server components with corrupted firmware, for example, or firmware that doesn't work. Eclypsium's method, which leverages past BMC research, bricks a server by remotely exploiting a BMC. If you're not familiar, the BMC is an independent computer within the server. It's used to remotely configure the system without relying on the host operating system or applications.

How It Plays Out
Step one is getting a foot in the door. "The first thing we're doing is assuming you have some sort of compromise," Loucaides explains. Perhaps the system got infected with malware; perhaps credentials were lost and picked up by the wrong person.

In Eclypsium's demonstration, researchers then used normal update tools to pass a malicious firmware image to the BMC. No special authentication or credentials are required to do this, and the firmware update contains additional code which, once triggered, erases the UEFI system firmware and essential components of the BMC firmware itself, analysts say in a blog.

Why target the BMC? You could target any part of the server and get a similar result, says Loucaides, but the BMC "is the most understandable and the most obvious." In a ransomware attack or other major-impact scenario, the BMC is used to recover the system.

Step three is when the BMC boots to the attacker supplied image. Because the BMC handles system management and recovery, it can install components into any part of the system. Researchers could use the malicious capability they installed in the BMC to corrupt system firmware; by corrupting the BMC, they leave no path for a system operator to recover it.

There is an arbitrary amount of time between stages three and four, in which the code executes, Loucaides explains. Attackers could launch malicious code as soon as they gain access via credential compromise, or they could install a component in the BMC and leave it there for as long as they like. "It doesn't all have to happen at the same time," he adds. The final payload could be triggered by a timer or external command and control.

The window between stages three and four depends on the attacker's goals. If they're going for maximum damage and disruption, Loucaides says, he would likely want to take his time and infect as many components as possible before bringing it all down at once. In step five, the BMC reboots the server, which is now unusable.

What You Can Do
Existing security defenses don't focus on firmware or hardware, says Loucaides, but there are ways to stop this type of attack. It starts with preventing initial compromise, which goes back to basic cyber hygiene: protecting credentials, for example, and using multifactor authentication.

"You can't do everything perfectly," he admits. "Something is going to go wrong. The trick is to be assessing the integrity of different components in your system."

Updates get plenty of attention at the application and operating system level, he continues, but not many people pay attention to firmware updates. Security teams should be running scans and monitoring infrastructure for anomalies, and interrupting the process before it's complete.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18913
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.