CISA, NSA release information sheet to network defenders on protecting BMCs, provide mitigations

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) jointly released an information sheet that assists network defenders in protecting baseboard management controllers (BMCs). The guidance highlights threats to BMCs, details actions organizations can use to harden them, and includes recommendations and mitigations for network defenders to secure their systems. 

BMCs are beneficial for system administrators as they provide remote access to servers’ resources for network configuration and management. In addition, BMC enterprise management solutions allow administrators to handle large numbers of servers remotely. Hackers can abuse these capabilities in various ways, including disabling security solutions, such as Trusted Platform Module (TPM) and UEFI Secure Boot; manipulating data on any attached storage media; and propagating implants or disruptive instructions across a network infrastructure.

“BMCs are trusted components designed into a computer’s hardware that operate separately from the operating system and firmware to allow for remote management and control, even when the system is shut down,” the guidance released by the NSA and CISA, titled ‘Harden Baseboard Management Controllers,’ identified. “A BMC differs from the basic input output system (BIOS) and the Unified Extensible Firmware Interface (UEFI), which have a later role in booting a computer, and management engine (ME), which has different remote management functionality.” 

The information sheet further identified that the BMC firmware is highly privileged, executes outside the scope of operating system (OS) controls, and has access to all resources of the server-class platform on which it resides. “It executes the moment power is applied to the server. Therefore, boot to a hypervisor or OS is not necessary as the BMC functions even if the server is shutdown.” 

“Implementation of effective security defenses for these embedded controllers is frequently overlooked,” Neal Ziring, technical director for NSA’s Cybersecurity Directorate, said in a media statement. “The firmware in these controllers is highly privileged. Malicious actors can use the firmware’s capabilities to remotely control a critical server while bypassing traditional security tools.”

Most BMCs provide network-accessible configuration and management, and BMC management solutions administer large numbers of servers without requiring a physical touch, the guidance said. “They take the form of a dedicated circuit chip with discrete firmware that must be maintained separately from automated or OS-hosted patching solutions. Most BMCs do not provide integration with user account management solutions. Administrators must perform updates and all administrative actions affecting BMCs via commands delivered over network connections. Many organizations fail to take the minimum action to secure and maintain BMCs,” it added.

Hardened credentials, firmware updates, and network segmentation options are frequently overlooked, leading to a vulnerable BMC, the cybersecurity guidance outlined. “A vulnerable BMC broadens the attack vector by providing malicious actors the opportunity to employ tactics such as establishing a beachhead with pre-boot execution potential. Additionally, a malicious actor could disable security solutions such as the trusted platform module (TPM) or UEFI secure boot, manipulate data on any attached storage media, or propagate implants or disruptive instructions across a network infrastructure,” it added.

Traditional tools and security features, including endpoint detection and response (EDR) software, intrusion detection/prevention systems (IDS/IPS), anti-malware suites, kernel security enhancements, virtualization capabilities, and TPM attestation are ineffective at mitigating a compromised BMC. 

The information sheet identified recommended actions that align with the cross-sector cybersecurity performance goals (CPGs), developed by the CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement.

Some of the recommended actions provided in the document include changing the default BMC credentials as soon as possible. “Establish unique user accounts for administrators, if supported. Always use strong passwords compliant with NIST guidelines such as SP 800-63B. Do not expose default credentials to an internet connection or untrusted segment of an enclave.”

It also suggests establishing “a virtual local area network (VLAN) to isolate BMC network connections since many BMC products have a dedicated network port not shared with the OS or virtual machine manager (VMM). Limit the endpoints that may communicate with BMCsin the enterprise infrastructure—commonly referred to as an Administrative VLAN. Limit or block BMC access to the internet. If the BMC requires internet access to update, create rules such that only update-supporting traffic is permitted during the update download.”

The document also called for consult vendor guides and recommendations for hardening BMCs against unauthorized access and persistent threats. Further, UEFI hardening configuration guidance may apply to many BMC settings. “BMC updates are delivered separately from most other software and firmware updates. Establish a routine to conduct monthly or quarterly checks for BMC updates according to the system vendor’s recommendations and scheduled patch releases. Combine BMC update installations with routine server maintenance and scheduled downtime when possible,” it added.

The document said that some BMCs report integrity data to a root of trust (RoT), which could take the form of a TPM, dedicated security chip or coprocessor (multiple trademarked names in use), or a central processing unit (CPU) secure memory enclave. It suggests monitoring integrity features for unexpected changes and platform alerts. It also advises moving sensitive workloads to hardened devices, as older server and cloud nodes may lack any BMC integrity monitoring mechanism. The presence of a TPM does not guarantee that BMC integrity data is collected. Place sensitive workloads on hardware designed to audit both the BMC firmware and the platform firmware, it added.

“Some modern EDR and platform scanning tools support BMC firmware capture. Establish a schedule to collect and inspect BMC firmware for integrity and unexpected changes. Include firmware audits in comprehensive anti-malware scanning tasks,” the document said. “A user may accidentally connect and expose an ignored and disconnected BMC to malicious content. Treat an unused BMC as if it may one day be activated. Apply patches. Harden credentials. Restrict network access. If a BMC cannot be disabled or removed, carry out recommended actions appropriate to the sensitivity of the platform’s data,” it added. 

The CISA, NSA, and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued in January a joint cybersecurity advisory (CSA) that warned network defenders about the malicious use of legitimate remote monitoring and management (RMM) software. 

Earlier this week, CISA issued a binding operational directive calling federal agencies to secure Internet-exposed management interfaces. The agency will start scanning federal agencies for vulnerable network devices, requiring them to disconnect these devices from the internet or tighten access controls. The rationale behind the binding operational directive is that cyber adversaries are increasingly targeting network infrastructure as endpoint protections improve.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.