Supermicro BMC firmware update validation bypass

Image preview

The auth_bmc_sig function contains the logic that parses the sig_table region of the uploaded BMC firmware. This region contains information about the signed parts of the image:

1. offset: 0x0000000, size: 0x0100000 - bootloader
2. offset: 0x0100000, size: 0x0001000 - sig_table
3. offset: 0x0110000, size: 0x0010000 - pdb_seca
4. offset: 0x0130000, size: 0x03e6c00 - kernel
5. offset: 0x0630000, size: 0x2000000 - rootFS (1st part)
6. offset: 0x2630000, size: 0x07b8080 - rootFS (2nd part)

The fix for CVE-2025-6198 introduced two additional checks in the smci_parse_sigtbl function. The first of these validates that the offset of the sig_table region ("sigtbl offset"), which contains the table used during the validation process described above, is equal to the hardcoded value 0x100000. The second checks that the table contains a region whose offset is equal to or greater than the "sigtbl offset", and whose (offset + size) is greater than the "sigtbl offset". However, since the offset and size of the sig_table region used during the validation process is not checked against that defined in the table, a potential attacker can replace the sig_table region provided by the vendor with a custom one and place the original data somewhere in the unreserved firmware space to bypass the validation process.

In our example attack, we attempt to update the BMC firmware using an image containing a customised kernel. Specifically, we will modify 0x200 bytes of the kernel, starting from the offset 0x1c8e00. First, we move the content of the original sig_table region to unreserved space between the end of the sig_table region (0x101000) and start of the pdb_seca region (0x110000) – 0xf000 bytes available. Right after copied sig_table, we place the original 0x200 bytes of the kernel, starting from the offset 0x1c8e00 (the data that we want to modify). Finally, the modified sig_table region can be placed at offset 0x100000 with the custom table content as follows:

1. offset: 0x0000000, size: 0x0100000 - bootloader
2. offset: 0x0100000, size: 0x0000001 - sig_table (1st part)
3. offset: 0x0101001, size: 0x0000fff - sig_table (2nd part)
4. offset: 0x0110000, size: 0x0010000 - pdb_seca
5. offset: 0x0130000, size: 0x0098e00 - kernel (before custom content)
6. offset: 0x0102000, size: 0x0000200 - kernel (original data that was replaced with custom content)
7. offset: 0x01c9000, size: 0x034dc00 - kernel (after custom content)
8. offset: 0x0630000, size: 0x2000000 - rootFS (1st part)
9. offset: 0x2630000, size: 0x07b8080 - rootFS (2nd part)

The sig_table region has been split into two parts deliberately to ensure that the checks introduced as the fix for CVE-2025-6198 are satisfied. This works because the first part is located at the required offset 0x100000 and has non zero size.

Note: to comply with all the checks performed in the smci_sigtbl_parser function, it is also necessary to ensure that the checksum of the updated sig_table region is zero. This can be achieved by modifying two bytes located at offset 0x10000e.

Now, 0x200 bytes of the kernel located at offset 0x1c8e00 can be modified in an arbitrary way. At the same time, validation of such an image will still succeed. We were able to validate this technique on a device, and it resulted in the execution of customized Linux kernel during the boot, which effectively allowed us to bypass the BMC RoT feature.

Note: it is also possible to downgrade the BMC firmware. For example, when using the latest firmware, the firmware image with version 01.03.47 is accepted and flashed.

Image preview

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Image preview

BINARLY team

Image preview