[CDP-development] CISA and NSA Help Organizations Secure Baseboard Management Controllers

[Masse, Theresa]

FYSA



Today, the Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) issued a joint Cybersecurity Information Sheet<https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-nsa-release-joint-guidance-hardening-baseboard-management-controllers-bmcs> recommending organizations pay attention to the security of their Baseboard Management Controllers (BMCs). Titled, "Hardening BMCs," the joint CSI encourages all organizations to apply the recommended actions to properly secure and maintain BMCs.


Hardened credentials, firmware updates, and network segmentation options are frequently overlooked, leading to a vulnerable BMC. A vulnerable BMC broadens the attack vector by providing malicious actors the opportunity to employ tactics such as establishing a beachhead with pre-boot execution potential.



The recommended actions align with the cross-sector Cybersecurity Performance Goals<https://www.cisa.gov/cross-sector-cybersecurity-performance-goals> (CPGs). Some of the actions include:

  *   Change the default BMC credentials as soon as possible.
  *   Limit the endpoints that may communicate with BMCs in the enterprise infrastructure-also known as administrative virtual local area network (VLAN).
  *   Consult vendor guides and recommendations for hardening BMCs against unauthorized access and persistent threats.
  *   Perform routine BMC update checks which are delivered separately from most other software and firmware updates.
  *   Monitor BMC integrity to include integrity features for unexpected changes or platform alerts.
  *   Move sensitive workloads to hardened devices, such as hardware designed to audit both the BMC firmware and the platform firmware.
  *   Periodically use firmware scanning tools to inspect for integrity and unexpected changes.
  *   Treat an unused BMC as if it may one day be activated, such as apply patches, harden credentials and restrict network access.



Read the joint CSI<https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-nsa-release-joint-guidance-hardening-baseboard-management-controllers-bmcs> for a complete overview of the threat to BMCs and recommended actions to protect against this threat.



Theresa A. Masse
Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image001.png at 01D99EAD.955A8A90]




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230614/a165f575/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16152 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230614/a165f575/attachment-0001.png>