A recent flaw that allows hackers to implant backdoors for data theft on bare metal servers that survive client reassignment on general cloud servers has been discovered.
The vulnerability dubbed as Cloudborne was spotted by researchers from Eclypsium, a cybersecurity vendor.
In a published report, they practically disclosed the processes used by many cloud providers that unintentionally grants access to an attacker to interpolate the firmware code in servers, creating a backdoor.
The hacker would then release the server back to the cloud provider, leaving the next customer with a server that is compromised. Under the Common Vulnerability Scoring System, Eclypsium rated it as 9.3 critical attack.
The researchers disclosed that while infrastructure-as-a-service (IaaS) offerings are dedicated to one customer at a time, they won’t stay that way forever, as they are bought or reclaimed by others over time.
They had tested the vulnerability with IBM SoftLayer, making it clear that is not exclusive to its cloud servers alone.
Eclypsium, who had previously discovered problems with servers belonging to Supermicro, stated that IBM SoftLayer had bought x86 servers from Supermicro for a couple of years.
In the report released, the researchers gave a breakdown of what they did. They had provisioned a bare metal server from IBM and verified the version of the BMC was running Supermicro’s latest software release.
Then, they took note of the product and chassis serial numbers and made a simple change to the BMC software by altering a bit. Using the AIUpdate tool, they updated the BMC firmware and created an additional IPMI user with admin access to the BMC server.
They noticed that immediately IBM ran its reclamation routine, the server was available to be bought by unsuspecting customers.
Eventually, they provisioned the server they had altered, and while the additional user data have been removed by IBM, the alterations to the firmware were very much in place. They also noticed that the logs were still available and the root password had not changed.
This, they described, would make a customer gain access into the activity of the previous user, but would allow an attacker to gain more control over the firmware in the future.
In reaction to the damaging reports, IBM stated that it wasn’t aware that the data of its clients had been exploited by the vulnerability. The company also disclosed that it had taken necessary measures to eliminate the threat it had rated as a Low Severity risk.