Presenting at Black Hat Asia 2023, an infosec researcher detailed how remote updates can be exploited to modify voltage on a Supermicro motherboard and remotely brick machines.
The University of Birmingham duo behind the discovery like to play around with voltage. They are responsible for already revealing a vulnerability in Intel’s core microprocessor Software Guard Extensions (SGX), known as Plundervolt, and a $30 2020 Intel SGX cloud server hack called Voltpillager.
When the voltage of these systems is altered, the encryption becomes weak and the hackers can extract sensitive data.
Voltpillager was not a remote attack and required physical proximity, such as a rogue employee, so was limited in threat scope. Plundervolt, while possibly remote, required privileged access to the operating system and BIOS.
Intel issued firmware updates to prevent Plundervolt, but stated that techniques that require an attacker to physically open a case, such as Voltpillager, were not considered vulnerabilities.
The new power management fault, or PMFault, can be carried out by a privileged software adversary who doesn’t have access to Board Management Controller (BMC) login credentials. It allows the same data extraction as its predecessor attacks, but through the BMC flash memory chip.
The two researchers, Zitai Chen and David Oswald, said in a January academic publication that “undervolting through the PMBus allows breaking the integrity guarantees of SGX enclaves, bypassing Intel’s countermeasures against previous undervolting attacks like Plundervolt.”
By then overvolting – sending 2.84 volts to the 1.52 spec’d CPU – the pair permanently bricked two separate Xeon CPUs used in the experiment.
They pinned the vulnerabilities on insecure firmware encryption and signing mechanisms, a lack of authentication when it comes to firmware and IPMI KCS control interface upgrades, and the overall motherboard design.
“I think this attack is nicer than the VoltPillager,” said Chen at Black Hat Asia 2023, adding that it was “less messy” as there were fewer cables and no need to control temperature.
“With this attack we only need the Ethernet cable to connect to the server. And that’s it. We don’t need to open the box anymore.”
The duo’s big takeaway is that trusted execution environments “like SGX must not only rely on the security of the CPU itself, but also of that of management components [in] the hardware design of the platform.”
Overall, they advocate thinking of a server as an embedded system, declare that SGX attestation cannot measure BMC firmware, and warn that improper jumper configuration can cause security issues.
Chen and Oswald offer a PMBusDetect tool for identifying if a voltage regulator modeule is connected to the PMBus. However, they’ve only yet tested it on Reneseas ISL68137 and Monolithic MP2955.
Supermicro did respond to Chen and Oswald’s disclosure back in January. The hardware maker rated the vulnerability’s severity as “high” and issued new signed BMC firmware for all affected Supermicro motherboard SKUs.
That includes those that incorporate the Intelligent Platform Management Interface (IPMI) – the X11, X12, H11, and H12 product lines. ®