There's a problem with exfiltrate via BMC network theory.
In a sane setup, your BMC connection cannot access internet. You should build an isolated intranet for it (including VLAN or hardware isolation, not just subnet/IP), and put a VPN in the front gate. As a result, you login to your data center, or go to there if you like metaphors. If nobody’s there via VPN, BMC network is a silent and dark place. No connection to outside, no unknown traffic, just silence. Only exception may be the discovery packets of some BMCs, which can find similar servers and form federations for easier management. Even this needs some setup beforehand.
If the BMC has write access to host memory it could surely use that access to create a side channel using the host's network interfaces.
Having said that, it would be nice if networks were segmented in the way you describe. I've been appalled at the lack of segmentation I've seen in companies of all sizes that I've had gigs for.
Today's network cards are small computers of their own. So it'd be very hard to inject packages with all this kernel-hardware integration at the module level IMHO. The card would probably throw a tantrum if you try to access it directly.
TBH, while I'm knowledgeable about hardware, I'm a total beginner in attack side of cybersecurity.
At least, we are segmenting our networks like that.
According to this comment, the BMC is at least capable of working off the real NIC instead, and will do so if you don't hook up the management NIC. https://news.ycombinator.com/item?id=18138411
This is a BIOS setting, and even while the BMC's working over the primary NIC, it retains its independent MAC and IP address (and VLAN if you set it up). Also, even if the NIC is shared with the BMC and the OS, you cannot see the NIC of the BMC on the PCI bus. They are isolated at the hardware level.
I manage lots of these servers for a long time, and this is my firsthand experience. :)
Yes, but if you isolate at cable level, using primary NICs MAC and IP is moot.
If you're sharing the medium, you need a good security team.
Attacks involving writing to / reading from memory & exfiltrating that data needs proof of concept code now. Hope someone with comparable hardware and BMC modifies OpenBMC's code to steal some stuff from the OS for research purposes.
If it can be proved, the results will be relatively fun and certainly revolutionary.
In a sane setup, your BMC connection cannot access internet. You should build an isolated intranet for it (including VLAN or hardware isolation, not just subnet/IP), and put a VPN in the front gate. As a result, you login to your data center, or go to there if you like metaphors. If nobody’s there via VPN, BMC network is a silent and dark place. No connection to outside, no unknown traffic, just silence. Only exception may be the discovery packets of some BMCs, which can find similar servers and form federations for easier management. Even this needs some setup beforehand.