In January 2019, a researcher revealed a devastating vulnerability in one of the most powerful and sensitive devices embedded in modern servers and workstations. With a severity of 9.8 out of 10, the vulnerability affected a variety of baseboard management controllers from multiple vendors. Soldered onto the motherboard of servers, these tiny computers allow cloud centers, and sometimes their customers, to streamline the remote management of vast computer fleets. They allow administrators to remotely reinstall operating systems, install and uninstall apps, and control almost every other aspect of the system—even when it’s powered off.
Pantsdown, like that Researchers called the threat, presented an exceptional opportunity to anyone who already had access to the server. By exploiting the random read/write bug, the hacker could become a super administrator with ultimate control over an entire data center at all times.
Industry is mobilizing… except for one
Now researchers at the security company Eclypsium have reported a worrying finding: for unknown reasons, a widespread BMC from the provider of data center solutions quantum remained unpatched against the vulnerability as recently as the last month.
As if Quanta’s inaction wasn’t enough, the company’s current stance also remains confusing. After Eclypsium privately reported its findings to Quanta, the solutions company responded that it had finally fixed the vulnerability. But instead of issuing an advisory and releasing a patch — like almost every company does when fixing a critical vulnerability — it told Eclypsium that it provides updates privately on a customer-to-customer basis. When this post was about to go public, “CVE-2019-6260,” the industry label used to track the vulnerability, did not appear on Quanta’s website.
In an email, Eclypsium VP of Technology John Loucaides wrote:
Eclypsium also notes that custom servers (e.g. Quanta) were not patched until 2019 to detect vulnerabilities. This affects a large number of devices from a large number of cloud providers. The problem isn’t any vulnerability, it’s the system that makes cloud servers old and vulnerable. Quanta has just released the patch for these systems and has not made it available for review. In fact, their response to us was that they would only be made available upon support request.”
Several Quanta representatives did not respond to two emails sent on consecutive days asking for confirmation of Eclypsium’s timeline and an explanation of the patching process and policies.
Current but not patched
A blog entry The Eclypsium released Thursday demonstrates the type of attack that can be performed using Quanta BMCs Firmware available on Quantas refresh page As of last month, more than three years after Pantsdown came to light.
Eclipsiums accompanying video shows an attacker gaining access to the BMC after exploiting the vulnerability to modify its web server. The attacker then runs a publicly available tool that uses Pantsdown to read and write the BMC firmware. The tool allows the attacker to feed the BMC with code that opens a reverse web shell when a legitimate administrator updates a web page or connects to the server. The next time the administrator tries to perform either action, it fails with a connection error.
However, behind the scenes and unbeknownst to the administrator, the attacker’s reverse shell opens. From now on, the attacker has full control over the BMC and can use it to do anything a legitimate administrator can, including setting up persistent access or even bricking the server permanently.
The power and ease of use of the Pantsdown exploit are by no means new. What’s new is that, contrary to expectations, these types of attacks have remained possible on BMCs using Quanta’s firmware, which was released just last month.
Quanta’s decision not to release a patched version of its firmware, or even a recommendation, should be a red flag, given the radio silence with reporters asking legitimate questions. Data centers or data center customers using this company’s BMCs should verify the integrity of their firmware or contact Quanta’s support team for more information.
Even if BMCs are from other manufacturers, cloud centers and cloud center customers should not assume that they are patched against Pantsdown.
“This is a serious issue and we do not believe it is a one-off event,” Loucaides wrote. “We have seen currently deployed devices from every OEM that remain vulnerable. Most of them have updates that just didn’t get installed. However, Quanta’s systems and their response set them apart from others.”
This article was previously published on Source link