Virtual machines! Containers! Clouds!
Software, and our interaction with software is getting further abstracted from the hardware on which it runs. That’s a good thing – better utilization of resources and much better options for scalability and recovery.
A lot of focus also goes into the security of operating systems, virtual machines, and containers. This is another good thing – and a very important one too.
But, wait – what about the servers on which our hypervisors or container machines run? They’ve kept up with the times, haven’t they?
Well, this year’s Black Hat USA security conference saw a briefing that suggests they might not.
Matias Sebastian Soler, a senior security researcher, and Nico Waisman, VP of Latam and both from Immunity, Inc give a timely reminder that privileged access to servers – in effect, the same level of access as being physically present especially if ‘’smart’’ data patching solutions are deployed, leaving hands-on physical intervention the only reason anyone might venture into the data hall. This needs to be assessed for security and access control, with appropriate protections in place such as air-gapped management networks isolated from the rest of the facility’s communications, accessed only through well-protected gateways with robust audit trails in place.
Their presentation can be found here https://www.blackhat.com/us-18/briefings/schedule/#the-unbearable-lightness-of-bmcs-10035
“Welcome to a data center! A place where the air conditioner never stops and the long line of tiny, red and blue LEDs dance chaotically over the sounds of the never-ending fans, playing in unison.
One thing is certain, everyone avoids data centers like the plague. And, like one of the greatest leaders of our time once said: “Behind every need, there is a right” (or in this case, a product).
Welcome to the world of Out of Band Power Management devices, where vendors decide to put an extra microprocessor inside the motherboard to allow you to remotely monitor heat, fans, and power.
We decided to take a look at these devices and what we found was even worse than what we could have imagined. Vulnerabilities that bring back memories from the 1990s, remote code execution that is 100% reliable and the possibility of moving bidirectionally between the server and the BMC, making not only an amazing lateral movement angle but the perfect backdoor too.”