Last year, Bloomberg ran a report, saying Supermicro-supplied servers come with Chinese backdoors and that this may have been a reason for Apple to dropped them in 2016; although Apple denied espionage concerns at the time. Although new research publsihed today doesn’t exactly confirm Bloomberg’s report that Supermicro servers ship with pre-installed backdoors, it does point to the microcontrollers used by Supermicro and the firmware that comes with them being easily backdoored without detection.
Researchers from Eclypsium, a firm specializing in firmware security, were able to commission a bare-metal server from IBM, install a backdoor in one of its microcontrollers, and then allowed IBM to re-use the server for other customers. The researchers were later able to reclaim that same server and noted that the backdoor was still active on the server, which means IBM lacks proper reclamation process that can clean previously used bare-metal servers of accidental or intentional backdoors. Attackers could use the same process that the researchers used to brick or steal data from other IBM customers.
Supermicro's “Parasitic Servers” Are Easily Exploitable
Previous research had shown that baseboard management controllers (BMCs), which are motherboard-attached microcontrollers, can give extraordinary remote access to servers inside data centers. The management capability on these BMCs is provided via the Intelligent Platform Management Interface (IPMI), which in many ways is similar to Intel’s Management Engine and its Active Management Technology and poses the same large risks of allowing attackers to take over servers remotely.
The IPMI is supposed to allow organizations to make configurations to a large number of servers remotely, even if the servers are turned off. In 2013, researchers pointed out that these BMCs can create “parasitic servers” that could allow attackers to take over entire server fleets in data centers.
Dan Farmer, a white hat security researcher, said at the time about BMCs and IPMI:
“Imagine trying to secure a computer with a small but powerful parasitic server on its motherboard; a bloodsucking leech that can't be turned off and has no documentation; you can't login, patch, or fix problems on it; server-based defensive, audit, or anti-malware software can't be used for protection; its design is secret, implementation old, and it can fully control the computer's hardware and software; and it shares passwords with a bunch of other important servers, stores them in clear text for attackers to access.”
Back then, the vulnerable firmware for these BMCs was developed by ATEN Technology, a Taiwanese company. These BMCs came pre-installed on servers from Dell, HP and other providers. A new paper is now showing that IBM’s servers are also highly vulnerable to undetectable backdoors installed in SuperMicro’s BMCs.
What Compromise of a Server's BMC Means
When an attacker compromises a BMC in a server, this opens up a variety of attack scenarios. For one, servers could be bricked, which means attackers could blackmail cloud service providers into paying them money “or else,” just as DDoS attackers have done in the past.
Having such low-level access to all the servers that are connected and controlled via a BMC means that the attackers can also extract all sorts of data from those servers from many cloud service customers. Ransomware and potentially crypto-mining malware could also be installed on many of the compromised servers.
The Eclypsium researchers recommended cloud service providers extend the reclamation process to the firmware level to ensure that any bare-metal reclaimed servers from a previous customer weren’t intentionally compromised.
The reclamation process should also include updating the BMC firmware manually, as well as the UEFI firmware via the BMC. The service providers should also continuously monitor changes to their servers’ firmware to spot attacks as they happen.
Over the past few years, more companies have come to realize that supply-chain security is just as important if not more important than applying software patches. Verifying that purchased hardware hasn’t been tampered with either from factory or somewhere in the supply chain should be an even bigger priority for cloud service providers who are responsible for the data protection of millions of customers.