'Pantsdown': Critical vulnerability found in multiple BMC firmware stacks

• The affected BMC firmware stacks include OpenBMC, AMI's BMC, and SuperMicro.
• Systems using the ASPEED ast2400 and ast2500 system-on-chips (SoCs) are also affected.

A severe security vulnerability was discovered recently that impacts multiple Baseboard Management Controller (BMC) firmware stacks and hardware.

Security Researcher Steward Smith in a blog described that the vulnerability (CVE-2019-6260) has been nicknamed as ‘Pantsdown’ due to the nature of a feeling that we’ve caught ‘chunks of the industry with their…’.

BMC hardware affected

A baseboard management controller, or BMC, is essentially a small computer that is a part of almost all server motherboards. Other components such as higher-end switches, JBODs, JBOFs, and other devices can include BMCs as well. ASPEED is currently the largest vendor for BMCs.

Smith explained that the vulnerability gets into action based on BMC setups and hardware configuration such as bare-metal cloud hosting arrangements. He said that systems using the ASPEED ast2400 and ast2500 system-on-chips (SoCs) are primarily affected. OpenBMC versions up to version 2.6 on all supported ASPEED based platform are also affected.

“The ASPEED ast2400 and ast2500 Baseboard Management Controller (BMC) hardware and firmware implement Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC’s physical address space from the host, or from the network if the BMC console uart is attached to a serial concentrator (this is atypical for most systems),” Smith wrote in the blog.

Remote unauthorized compromise

The researcher explained that the common configuration of the ASPEED BMC system-on-chips (SoCs) features leaves it open to ‘remote’ unauthorized compromise from the host and the BMC console.

“This stems from AHB bridges on the LPC and PCIe buses, another on the BMC console UART (hardware password protected), and the ability of the X-DMA engine to address all of the BMC's M-Bus (memory bus),” Smith explained.

Multiple BMC firmware stacks including OpenBMC, AMI’s BMC, and Supermicro were also affected. He further said that it is possible that other BMC hardware and architectures to have been affected, however, they have not been tested.

Consequences of unauthenticated access

Smith explained that if exploited, unauthorized access might lead to the following,

• Malware execution
• Overwriting of existing firmware
• Performing arbitrary reads or writes to BMC RAM
• Configuration of an inband BMC console fro the host
• BMC bricking by disabling the CPU click until a future power cycle

Smith said that resolving the vulnerability is platform-dependant as it requires a patch to be issued to both BMC firmware and host firmware. However, IBM's OpenPOWER systems have issued patches to both the host and BMC firmware.

Mitigation

Smith goes on to describe the various features of BMC systems that are impacted by this vulnerability and suggests disabling those features to avoid the security risk.

In addition to that, he mentions that it is not clear whether to define this vulnerability as local or remote. This would depend on whether one considers the connection between the BMC and the host as a network or not.

Moreover, the researcher stated that “‘The fix is platform dependent as it can involve patching both the BMC firmware and the host firmware.” The team of IBM researchers who worked on this, have fixed the issue for OpenPower systems on both the BMC and the host side.

OpenBMC provides a u-boot patch which disables the affected features to avoid the security risk. OpenBMC platform maintainers can opt-in for this patch at this link.