A new flaw has been discovered by security researchers that could enable hackers to install backdoors on the firmware of bare-metal cloud servers that stay active even when the customer using the hardware has been re-assigned elsewhere.
Called "Cloudbourne", the vulnerability was first discovered by researchers at the Eclypsium Research Team, who detailed their findings in a blog post. They found that hackers could plant backdoors and malware in the firmware of a server, or in its baseboard management controller (BMC), with relative ease.
These BMCs enable remote management of a server for initial provisioning, operating system reinstall and troubleshooting. Cloudborne exploits a flaw in the hardware's reclamation process when moving clients on and off a bare metal server.
While physical servers are dedicated to one customer at a time, they don't stay that way forever," said researchers. "Servers are provisioned and reclaimed over time and naturally move from customer to customer."
The firmware of the hardware is not reflashed in the reclamation process, allowing backdoors to persist. A hacker uses a known vulnerability in Supermicro hardware to rewrite the BMC and gain direct access to the hardware.
Researchers said that hackers "could spend a nominal sum of money for access to a server, implant malicious firmware at the UEFI, BMC, or even component level, such as in drives or network adapters. Then the attacker could release the hardware back to the service provider, which could put it back into use with another customer."
They added that given a BMC's ability to control the server, any compromises to that firmware can provide access to powerful tools for an attacker to exploit.
"Given the nature of the applications and data hosted on bare-metal offerings, this opens up the possibility for high-impact attack scenarios," they said.
These scenarios include application disruption, where a malicious implant at the BMC level could permanently disable a server; data theft, as it provides attackers with another very low-level way of stealing or intercepting data; and ransomware attacks, as attackers would naturally have the ability to take hold of valuable assets.
The backdoor could also compromise other parts of cloud infrastructure. For example, hackers could send malicious IPMI commands over system interfaces from the host without the commands being authenticated.
"Since there is no authentication performed when using system interfaces, the only barrier to running arbitrary code within the BMC is whether the BMC itself performs cryptographically secure signature verification of the firmware update image before applying the update. Unfortunately, not all BMCs perform this check, and even when they do, malware can exploit vulnerabilities in the BMC firmware to bypass it," noted researchers.
Researchers said that as firmware underlies even the host operating system and the virtualization layers of a server, any implants would naturally be able to subvert any controls and security measures running at these higher layers.
-
The Race Is On for Higher Ed to Adapt: Equity in Hyflex Learning -
Google faces 'first of its kind' class action for search ads overcharging in UKNews Google faces a "first of its kind" £5 billion lawsuit in the UK over accusations it has a monopoly in digital advertising that allows it to overcharge customers.
-
HPE eyes enterprise data sovereignty gains with Aruba Networking Central expansionNews HPE has announced a sweeping expansion of its Aruba Networking Central platform, offering users a raft of new features focused on driving security and data sovereignty.
-
Fortify your future: How HPE ProLiant Servers deliver top-tier cyber security, management, and performanceWhitepaper Deploy servers with a secure approach
-
Fortify your future with HPE ProLiant Servers powered by IntelWhitepaper Enhance your security and manage your servers more effectively
-
Architecting enterprise networks for the next decadeWhitepaper A new paradigm in network architecture
-
Why network monitoring tools fail within secure environmentsWhitepaper Gain visibility into devices, networks, and applications
-
Better together: HPE Aruba Networking CX switches and HPE Aruba Networking CentralWhitepaper Explore the power and simplicity of managing HPE Aruba Networking CX Switches with HPE Aruba Networking Central
-
Cyber-resilient infrastructure starts with server securitywhitepaper Take a security-focused approach when investing in the next wave of IT infrastructure.
-
Driving digital innovation with intelligent infrastructurewhitepaper Strong infrastructure investment is driving digital in all industries
