CVE-2019-6260 Gaining control of BMC from the host processor vulnerability

At the end of January 2019, a vulnerability in ASPEED AST2400 and AST2500 BMC chips became public. With the "Pantsdown" vulnerability, malware could be installed on the BMC from the local host via PCI Express or the Low Pin Count (LPC) interface. With manipulated software on the BMC, malware or spyware could be permanently stored on the server. According to the National Vulnerability Database, the two BMC chips AST2400 and AST2500 have implemented so-called Advanced High-Performance Bus (AHB) bridges, which allow any read and write access to the physical address space of the BMC from the host. This means that malware running on the server can also access the RAM of the BMC.

Affected systems from Thomas-Krenn

Among others, Supermicro motherboards and potentially ASUS motherboards are affected by this vulnerability. We will update this article as soon as we have more information. Currently you can find more information in the article from heise.de.^[1]

Manufacturer information

As of 04.02.2019, a first statement is available from Supermicro:

Supermicro is aware of the recent vulnerability CVE-2019-6260 that was discovered in the Baseband Management Controller (BMC) firmware stack. According to the National Vulnerability Database, the ASPEED AST2400 and AST2500 BMC hardware and firmware implement Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC's physical address space from the host. Supermicro is working with the vendor ASPEED on its fixes for this issue. We will post further information regarding impacted products and scheduled availability for any fixes as information becomes available.^[2]

References

↑ Pants down: Sicherheitslücke in Server-Fernwartung (heise.de, 01.02.2019)
↑ Baseboard Management Controller (BMC) Security Vulnerabilities regarding systems using the ASPEED AST2400 and AST2500 system-on-chips (SoCs) (CVE-2019-6260) (www.supermicro.com)

Further information

CVE-2019-6260: Gaining control of BMC from the host processor (flamingspork.com Blog, 23.01.2019)
Pantsdown: Fehler in Server-Firmware ermöglicht Rootkit (golem.de, 24.01.2019)
CVE-2019-6260 (cve.mitre.org)

Author: Werner Fischer

Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.

[1] Pants down: Sicherheitslücke in Server-Fernwartung (heise.de, 01.02.2019)

[2] Baseboard Management Controller (BMC) Security Vulnerabilities regarding systems using the ASPEED AST2400 and AST2500 system-on-chips (SoCs) (CVE-2019-6260) (www.supermicro.com)

[1]

[2]

CVE-2019-6260 Gaining control of BMC from the host processor vulnerability

Contents

Affected systems from Thomas-Krenn

Manufacturer information

References

Further information

Related articles

Navigation menu