In recent years, we have been witnessing a steady increase in security vulnerabilities in firmware. Nearly all of these issues require local (often privileged) or physical access to exploit. In this talk, we will present novel *remote* attacks on system firmware.
In this talk, we will show different remote attack vectors into system firmware, including networking, updates over the Internet, and error reporting. We will also be demonstrating and remotely exploiting vulnerabilities in different UEFI firmware implementations which can lead to installing persistent implants remotely at scale. The proof-of-concept exploit is less than 800 bytes.
How can we defend against such firmware attacks? We will analyze the remotely exploitable UEFI and BMC attack surface of modern systems, explain specific mitigations for the discussed vulnerabilities, and provide recommendations to detect such attacks and discover compromised systems.
7. Nmap scanreportforsupermicro-x11ssm-bmc.x.x.x (x.x.x.x)
Not shown: 65530closedports
PORT STATESERVICE REASON VERSION
80/tcp open http syn-ackttl 64ATEN/SupermicroIPMIwebinterface
443/tcp open ssl/http syn-ackttl64ATEN/SupermicroIPMIwebinterface
623/tcp open asf-rmcpsyn-ackttl 64SuperMicroIPMIRMCP
5900/tcp open vnc syn-ackttl 64VNC(protocol3.8)
MACAddress:0C:C4:7A:40:60:97(SuperMicroComputer)
Nmap done: 1IPaddress(1host up)scanned in 1403.00 seconds
BMC-RemoteAttacksurface
12. Multiple vulns
in AMT v8
through v11
PositiveTechnologies
foundmore vulnsinAMT
includingmultiple buffer
overflowsallowing LPE
andRCE
Also2017
Critical auth
bypass in AMT
v6 through v11
Embedi discovered that
you could logintoAMTas
admin withnopassword
on allvProsystemssince
2010
2017
AMT 6.0
Remote KVM support
added here
2010
AMT 4.0
Over-the-internet
provisioningcapabilities
2008
AMT 2.5
Wirelessnetwork
support added here
2007
AMT 1.0
FirstversionofIntelAMT
availableinCore 2Duo
vPro, includedembedded
web serverandfwupdate
capabilities
2006
IntelME/AMThistory
ME/AMTRemoteAttacksurface