Security researchers at Eclypsium, a hardware security startup, published a paper yesterday, examining the vulnerabilities in Bare Metal Cloud Servers (BMCs) that allow attackers to exploit and steal data.
“We found weaknesses in methods for updating server BMC firmware that would allow an attacker to install malicious BMC firmware..these vulnerabilities can allow an attacker to not only do damage but also add other malicious implants that can persist and steal data”, states the researchers.
BMC is a highly privileged component and part of the Intelligent Platform Management Interface (IPMI). It can monitor the state of a computer and allow an operating system reinstall from a remote management console through an independent connection. This means that there’s no need to physically attach a monitor, keyboard, and installation media to the server in BMCs. Now, although Bare-metal cloud offerings come with considerable benefits, they also pose new risks and challenges to security.
For instance, in the majority of the cloud services, once a customer uses a bare-metal server, the hardware can be reclaimed by the service provider which is then repurposed for another customer. Similarly, for a bare-metal cloud service offering, the underlying hardware can be easily passed through different owners, providing direct access to control that hardware. This access gives rise to attackers controlling the hardware, who can spend a nominal sum of money for access to a server, and implant malicious firmware at the UEFI, BMC, and within drives or network adapters. This hardware can then get released by the attacker to the service provider, who could further pass it on for use to another customer.
Eclypsium researchers have used IBM SoftLayer tecIhnology, as a case study to test the attack scenario on. However, researchers mention that the attack is not limited to any one service provider.IBM acquired SoftLayer Technologies, a managed hosting, and cloud computing provider in 2013 and is now known as IBM Cloud. The vulnerability found has been named as Cloudborne.
Researchers chose SoftLayer as the testing environment due to its simplified logistics and access to hardware. However, SoftLayer was using a super vulnerable Supermicro server hardware. It took about 45 minutes for the Eclypsium team to provision the server.
Once the instance was provisioned, they found out that it had the latest BMC firmware available. An additional IPMI user was created and given the administrative access to the BMC channels. This system was then finally released to IBM, which kicked off the reclamation process. Researchers noticed that the additional IPMI user was removed during the reclamation process but BMC firmware comprising the flipped bit was still present, meaning that servers’ BMC firmware was not re-flashed during the server reclamation process.
“The combination of using vulnerable hardware and not re-flashing the firmware makes it possible to implant malicious code into the server’s BMC firmware and inflict damage or steal data from IBM clients that use that server in the future”, states the researchers.
Other than that, BMC logs were also retained during provisioning, giving the new customer insights into the actions of the previous device owner. Also, the BMC root password was the same across provisioning, allowing the attacker to easily have control over the machine in the future.
“While these issues have heightened importance for bare-metal services, they also apply to all services hosted in public and private clouds..to secure their applications, organizations must be able to manage these issues—or run the risk of endangering their most critical assets”, mentions Eclypsium researchers.
For more information, check out the official Eclypsium paper.
Read Next
Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3
Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability
