Date : 05 juin 2019 à 14:45 — 30 min.
While Baseboard Management Controllers (BMC) grow in popularity as solutions to manage and monitor servers remotely, several critical vulnerabilities targeting them have recently been found. On servers manufactured by HP, it has been published that the compromise of the BMC enables attackers to read and write the memory of the main operating system through Direct Memory Access (DMA) channels. As these communication channels are not specific to HP, it can be expected that a vulnerability allowing attackers to execute arbitrary code on a BMC from another manufacturer provides a similar access.
In 2018, a remote code execution vulnerability targeting Dell's BMC (named iDRAC) has been published. The access provided by the exploitation of the vulnerability puts attackers in a similar position to being in the datacenter with physical access to the server: they can watch the screen, use a keyboard and a mouse, reboot the server, etc. However, they cannot read or write the RAM of the server. More precisely, nobody has described how the iDRAC could perform DMA to the main RAM of a server.
On a Dell PowerEdge server, the iDRAC has a low-level access to many hardware components, for example in order to monitor the power and temperature of the CPU. It does not usually perform DMA with the main memory, but this might be possible to achieve if the iDRAC has access to the relevant hardware interfaces. This presentation digs into the interfaces used by iDRAC 8 in order to find out whether it can access the main memory. It focuses on components that are more likely to provide such an access, like the virtual USB devices, the CPLD connected to the iDRAC and the PCIe device that previous iDRAC revisions exposed. In the end, none of these devices seem to provide an access to the memory of the main operating system. Nevertheless the iDRAC interracts with a H8S microcontroller that appears to be closely related to the PCIe bus. The analysis of this new microcontroller is still a work in progress.