Dell EMC’s Older PowerEdge iDRAC BMC Vulnerable to Firmware Replacement Attack
Every modern server is equipped with a baseboard management controller (BMC) that enables its remote management. A BMC is essentially a computer within a computer with its own memory, firmware, graphics, and, like any other computer, potential vulnerabilities. Last week it was discovered that Dell EMC’s proprietary iDRAC (integrated Dell Remote Access Controller) hardware/software system used on the 13th Generation PowerEdge servers (and older) is vulnerable to an attack that allows the unauthorized replacement of the BMC’s firmware, swapping out the stock firmware with a malicious one.
The vulnerability allows the firmware swap to take place with either local or remote access. With physical access to the server, it’s possible to replace the firmware even without valid login credentials. Meanwhile it’s also possible to perform the attack remotely, though in that case it does require a valid login.
The vulnerability of iDRAC on previous-gen servers implicates swapping the signed firmware with a different firmware package, evading several defenses that Dell EMC has in place for its prior-gen machines. Once a perpetrator gains access to BMC firmware and servers, they can load and run whatever code they need, reboot machines when they perform critically important tasks, or steal secret information.
What is particularly important is that BMC firmware can be altered before servers are deployed and even made. Companies like Google and Microsoft have implemented sophisticated hardware root of trust chain methods in order to prevent unauthorized access (both remote and physical). Dell EMC has added a similar tech to its 14th Generation PowerEdge machines, but previous-gen iDRAC-enabled servers are still vulnerable. Furthermore, one thing to keep in mind is that Dell EMC still ships its 13th Gen PowerEdge machines to interested parties.
Dell EMC admits that certain versions of iDRAC firmware are vulnerable, but claims that the latest revisions have addressed the issue and modern machines are as secure as possible. At the same time, a physical swap of an exposed BMC, and usage of weak passwords for access still represent a threat for the industry in general