The Unbearable Lightness of BMC’s

July 8, 2018 ~ hucktech ~ Leave a comment

Out of Band Power Management devices introduce vulns that bring back memories from the 1990s, enable remote code execution that is 100% reliable & the possibility of moving bidirectionally btw server & BMC. #BHUSA Briefing by @nicowaisman & @gnuler https://t.co/tkpN99CpZH

— Black Hat (@BlackHatEvents) July 8, 2018

https://twitter.com/nicowaisman/status/1004367132854050816

https://www.blackhat.com/us-18/briefings/schedule/#the-unbearable-lightness-of-bmcs-10035

Black Hat: System Firmware Attack and Defense for the Enterprise

January 25, 2018January 26, 2018 ~ hucktech ~ Leave a comment

Well, this should be fun… first time attending @BlackHatEvents as a trainer with @c7zero, @ABazhaniuk & @JohnLoucaides (Aug 4-7, 2018).

"SYSTEM FIRMWARE ATTACK AND DEFENSE FOR THE ENTERPRISE"https://t.co/CGYcjUybVD https://t.co/vKUjFVDVb8

— Brian Richardson (on LinkedIn) (@BrianOnChips) January 25, 2018

A variety of attacks targeting system firmware have been discussed publicly, drawing attention to interaction with system firmware components. This includes operating system loaders, secure boot mechanisms, runtime interfaces, and system management mode (SMM). This training will detail and organize objectives, attack vectors, vulnerabilities, and protection mechanisms in this fascinating environment. The training includes two parts.
1. Present a structured approach to system firmware security analysis and mitigations through lecture and hands-on exercises to test system firmware for vulnerabilities. After the training, students will have basic understanding of platform hardware components, system firmware components, attacks against system firmware, and available mitigations. Students can apply this knowledge to identify firmware vulnerabilities and perform forensic analysis.
2. Apply concepts to an enterprise environment. Using an understanding of security issues, students explore potential risks to operational environments including both supply chain and remote malware attacks. Students will perform assessments and basic forensic analysis of potential firmware attacks.

https://www.blackhat.com/us-18/training/schedule/index.html#system-firmware-attack-and-defense-for-the-enterprise-9792

Cumulus ONIE firmware vulnerability

August 10, 2015 ~ hucktech ~ Leave a comment

Last week at Black Hat Briefings, Gregory Pickett gave a presentation focusing on firmware security issues of the Cumulus ONIE:

https://www.blackhat.com/us-15/briefings.html#staying-persistent-in-software-defined-networks

Staying Persistent in Software Defined Networks
Gregory Pickett
“The Open Network Install Environment, or ONIE, makes commodity or WhiteBox Ethernet possible. By placing a common, Linux-based, install environment onto the firmware of the switch, customers can deploy the Network Operating Systems of their choice onto the switch and do so whenever they like without replacing the hardware. The problem is, if this gets compromised, it also makes it possible for hackers to install malware onto the switch. Malware that can manipulate it and your network, and keep doing it long after a Network Operating System reinstall. With no secure boot, no encryption, no authentication, predictable HTTP/TFTP waterfalls, and exposed post-installation partition, ONIE is very susceptible to compromise. And with Network Operating Systems such as Switch Light, Cumulus Linux, and Mellanox-OS via their agents Indigo and eSwitchd not exactly putting up a fight with problems like no authentication, no encryption, poor encryption, and insufficient isolation, this is a real possibility. In this session, we’ll cover the weaknesses in ONIE, ways to reach the platform through these Network Operating Systems, and what can happen if we don’t properly protect the Control Plane these switches run on. I’ll even demonstrate with a drive-by web-attack that is able to pivot through a Windows management station to reach the isolated control plane network, and infect one of these ONIE-based switches with malware, malware that’s there even after a refresh. You’ll even get the source code to take home with you to see how easily it’s done. Finally, we’ll talk about how to compensate for these issues so that your network doesn’t become infected with and manipulated by this sort of persistent firmware-level malware.”

The slides, whitepaper, and sample code are now online:

Click to access us-15-Pickett-Staying-Persistent-In-Software-Defined-Networks-wp.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Pickett-Staying-Persistent-In-Software-Defined-Networks-tool.py

Click to access us-15-Pickett-Staying-Persistent-In-Software-Defined-Networks.pdf

Also last week, Nolan Leake of Cumulus Networks wrote a story from the other side of a Black Hat vulnerability, of his interactions with Gregory:

“Gregory Pickett of Hellfire Security reached out to me last Wednesday about some interesting research he is presenting tomorrow at Black Hat USA. There are two parts to his research: a security bug in Cumulus Linux (that we already patched) and other network operating systems, and a serious design issue with how all network switches are designed and built. […] The much more serious issue he will present is the exploitability of firmware in all network switches. This same exploitability has been known about in servers, laptops and PCs for years (and in some cases mitigated with technologies like Trusted Platform Modules), but its application to networking devices is new. […]”

Read the full blog here:
http://cumulusnetworks.com/blog/security-benefits-of-open-source-and-open-development/

And of course, if you use Cumulus products, make sure you’ve applied their recent updates!