This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RoD
Contributor
‎2022-08-19 04:33 AM

BMC software/firmware and access to internet

Hi,

I read about motherboard level Trojan that can easy altered the BMC (AST2600) and BIOS firmware and steal user data.

https://hackaday.com/2018/10/04/malicious-component-found-on-server-motherboards-supplied-to-numerou...

https://ftp.fau.de/cdn.media.ccc.de/congress/2018/h264-hd/35c3-9597-eng-deu-fra-Modchips_of_the_Stat...


My question is what is the best solution for R81.10 to block any access of BMC software/firmware to internet ?
(block all BMC ports, block BMC mac address .. etc)


Thanks  🙂

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2022-08-19 06:35 AM

To me, this is mostly a matter of ensuring strict access controls are in place.
That means restricting access to that which is absolutely required by only those required to access it.

I suspect if there are/will be widely known attacks against these BMCs and they are exploitable over a network, we will add the relevant signatures and/or IOCs to ThreatCloud which would allow the various Threat Prevention technologies to block it.

Bob_Zimmerman
Authority
Authority
‎2022-08-19 11:47 AM

BMCs by themselves don't necessarily have network access. The AST2500 and AST2600 present themselves to hosts as a PCIe video card and USB keyboard, mouse, and storage, but they don't interact with the host's network interfaces. If you aren't using your LOM ports, they have no network access at all.

If you are using your LOM ports, then just don't let your LOMs talk out to the Internet. Note that this will break the ability many modern LOMs have to report hardware faults to the vendor for automatic RMA (e.g, when one of my open servers' drives fails, a new drive just shows up in the mail without needing me to open a ticket manually).

One major note, though: that Bloomberg story is complete nonsense. Everybody cited as affected has issued explicit denials (not just "We don't know what Bloomberg is talking about", but actively saying "Bloomberg is wrong"). A huge amount of independent research afterwards has turned up nothing.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events