A new flaw has been discovered by security researchers that could enable hackers to install backdoors on the firmware of bare-metal cloud servers that stay active even when the customer using the hardware has been re-assigned elsewhere.
Called “Cloudbourne”, the vulnerability was first discovered by researchers at the Eclypsium Research Team, who detailed their findings in a blog post. They found that hackers could plant backdoors and malware in the firmware of a server, or in its baseboard management controller (BMC), with relative ease.
These BMCs enable remote management of a server for initial provisioning, operating system reinstall and troubleshooting. Cloudborne exploits a flaw in the hardware’s reclamation process when moving clients on and off a bare metal server.
While physical servers are dedicated to one customer at a time, they don’t stay that way forever,” said researchers. “Servers are provisioned and reclaimed over time and naturally move from customer to customer.”
The firmware of the hardware is not reflashed in the reclamation process, allowing backdoors to persist. A hacker uses a known vulnerability in Supermicro hardware to rewrite the BMC and gain direct access to the hardware.
Researchers said that hackers “could spend a nominal sum of money for access to a server, implant malicious firmware at the UEFI, BMC, or even component level, such as in drives or network adapters. Then the attacker could release the hardware back to the service provider, which could put it back into use with another customer.”
They added that given a BMC’s ability to control the server, any compromises to that firmware can provide access to powerful tools for an attacker to exploit.
“Given the nature of the applications and data hosted on bare-metal offerings, this opens up the possibility for high-impact attack scenarios,” they said.
These scenarios include application disruption, where a malicious implant at the BMC level could permanently disable a server; data theft, as it provides attackers with another very low-level way of stealing or intercepting data; and ransomware attacks, as attackers would naturally have the ability to take hold of valuable assets.
The backdoor could also compromise other parts of cloud infrastructure. For example, hackers could send malicious IPMI commands over system interfaces from the host without the commands being authenticated.
“Since there is no authentication performed when using system interfaces, the only barrier to running arbitrary code within the BMC is whether the BMC itself performs cryptographically secure signature verification of the firmware update image before applying the update. Unfortunately, not all BMCs perform this check, and even when they do, malware can exploit vulnerabilities in the BMC firmware to bypass it,” noted researchers.
Researchers said that as firmware underlies even the host operating system and the virtualization layers of a server, any implants would naturally be able to subvert any controls and security measures running at these higher layers.