A new flaw has been discovered by security researchers that could enable hackers to install backdoors on the firmware of bare-metal cloud servers that stay active even when the customer using the hardware has been re-assigned elsewhere.
Called "Cloudbourne", the vulnerability was first discovered by researchers at the Eclypsium Research Team, who detailed their findings in a blog post. They found that hackers could plant backdoors and malware in the firmware of a server, or in its baseboard management controller (BMC), with relative ease.
These BMCs enable remote management of a server for initial provisioning, operating system reinstall and troubleshooting. Cloudborne exploits a flaw in the hardware's reclamation process when moving clients on and off a bare metal server.
While physical servers are dedicated to one customer at a time, they don't stay that way forever," said researchers. "Servers are provisioned and reclaimed over time and naturally move from customer to customer."
The firmware of the hardware is not reflashed in the reclamation process, allowing backdoors to persist. A hacker uses a known vulnerability in Supermicro hardware to rewrite the BMC and gain direct access to the hardware.
Researchers said that hackers "could spend a nominal sum of money for access to a server, implant malicious firmware at the UEFI, BMC, or even component level, such as in drives or network adapters. Then the attacker could release the hardware back to the service provider, which could put it back into use with another customer."
They added that given a BMC's ability to control the server, any compromises to that firmware can provide access to powerful tools for an attacker to exploit.
"Given the nature of the applications and data hosted on bare-metal offerings, this opens up the possibility for high-impact attack scenarios," they said.
These scenarios include application disruption, where a malicious implant at the BMC level could permanently disable a server; data theft, as it provides attackers with another very low-level way of stealing or intercepting data; and ransomware attacks, as attackers would naturally have the ability to take hold of valuable assets.
The backdoor could also compromise other parts of cloud infrastructure. For example, hackers could send malicious IPMI commands over system interfaces from the host without the commands being authenticated.
"Since there is no authentication performed when using system interfaces, the only barrier to running arbitrary code within the BMC is whether the BMC itself performs cryptographically secure signature verification of the firmware update image before applying the update. Unfortunately, not all BMCs perform this check, and even when they do, malware can exploit vulnerabilities in the BMC firmware to bypass it," noted researchers.
Researchers said that as firmware underlies even the host operating system and the virtualization layers of a server, any implants would naturally be able to subvert any controls and security measures running at these higher layers.
-
AWS targets IT modernization gains with new agentic AI features in TransformNews New custom agents aim to speed up legacy code modernization and mainframe overhauls
-
HSBC partners with Mistral to fuel bank-wide generative AI adoptionNews The multi-year, strategic partnership will focus on transforming a range of services and tasks from customer-facing to fraud detection and more
-
Russian hackers are using an old Cisco flaw to target network devices – here’s how you can stay safeNews With the aim of carrying out espionage, Russia's Center 16 is targeting infrastructure organizations around the world
-
HPE eyes enterprise data sovereignty gains with Aruba Networking Central expansionNews HPE has announced a sweeping expansion of its Aruba Networking Central platform, offering users a raft of new features focused on driving security and data sovereignty.
-
Fortify your future: How HPE ProLiant Servers deliver top-tier cyber security, management, and performanceWhitepaper Deploy servers with a secure approach
-
Fortify your future with HPE ProLiant Servers powered by IntelWhitepaper Enhance your security and manage your servers more effectively
-
Architecting enterprise networks for the next decadeWhitepaper A new paradigm in network architecture
-
Why network monitoring tools fail within secure environmentsWhitepaper Gain visibility into devices, networks, and applications
-
Better together: HPE Aruba Networking CX switches and HPE Aruba Networking CentralWhitepaper Explore the power and simplicity of managing HPE Aruba Networking CX Switches with HPE Aruba Networking Central
-
Cyber-resilient infrastructure starts with server securitywhitepaper Take a security-focused approach when investing in the next wave of IT infrastructure.
