Stealthy backdoors: A compromised KVM device can become a powerful backdoor in any environment. An attacker can inject keystrokes to execute commands or access UEFI settings to disable security features such as disk encryption and Secure Boot.Because the device operates outside the controlled system’s OS, endpoint detection tools and host firewalls cannot see it. These devices run their own Linux-based firmware, allowing attackers to hide malware and re-infect connected systems even after disk wipes.”Compromising a KVM device gives an attacker the equivalent of physical access to every machine connected to it,” the Eclypsium researchers warned. “Not ‘kind of like’ physical access. Actual keyboard, video, and mouse control, at the BIOS level, below the operating system, below EDR, below every security control you have deployed.”North Korean spies posing as remote workers have used PiKVM devices connected to laptops and workstations provided to them by employers to fake their physical presence in different countries and gain access to corporate networks.Enterprise-grade KVM switches are not immune to vulnerabilities either. ATEN, one of the leading vendors, patched critical buffer overflow vulnerabilities in some of its products last year. Baseband Management Controller (BMC) interfaces, another type of out-of-band management technology that is common in server products, have been plagued by vulnerabilities for years and some were even exploited to deploy rootkits.Eclypsium advises organizations to isolate KVM devices on dedicated management VLANs, never expose them directly to the internet, deploy two-factor authentication when available, and use VPN solutions to access them. Companies should also audit their networks for KVM devices that they might not be aware of and deploy firmware updates when available.”Audit your KVM deployments,” the researchers wrote. “Know what you have, where it is, and what firmware it is running. These devices are the keys to your kingdom, and right now, too many of them are hanging on the network with the door wide open.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4147874/that-cheap-kvm-device-could-expose-your-network-to-remote-compromise.html
