Cloudborne vulnerability could allow attackers to implant backdoor in the BMC firmware

• BMC components in servers could be infected to perform a PDoS attack, steal data or execute a ransomware attack.
• IBM issued firmware update to fix the vulnerability in its servers.

What is the issue - Researchers detected a new vulnerability dubbed ‘Cloudborne’ that could allow attackers to implant backdoor in the firmware or BMC of bare metal servers causing a variety of attack situations.

The Baseboard Management Controller (BMC) is a third-party component designed to enable remote management of a server for initial provisioning, operating system reinstall, and troubleshooting.

What to watch for - The various attack situations an attacker could perform by exploiting this vulnerability includes,

• Perform a permanent denial-of-service (PDoS) attack
• Steal data from the application running on the cloud service
• Execute a ransomware attack by disabling the application

The big picture - Eclypsium Research Team detected the cloudborne vulnerability that could allow attackers to implant malicious backdoors within the firmware of cloud services' shared infrastructure.

• Researchers noted that these implants can survive even after the cloud service provider distributes the server to another customer.
• This implies that once the implant is successfully dropped on a bare metal server, it will survive between client switches performed by the provider.

“Even though the hardware is dedicated to a single customer at a given point in time, they could easily be using 2nd, 3rd, or nth hand hardware. In a bare-metal cloud service offering, the underlying hardware could easily pass through dozens of "owners" with direct access and control over that hardware,” researchers noted in a blog.

To be precise, attackers could compromise bare metal servers and implant malicious backdoors and code in the firmware of BMC with minimal skills. However, Eclypsium researchers noted that removing the malicious implant is highly impractical as it could require the service provider to physically connect to chips to reflash the firmware.

How severe is it - IBM published the details of the vulnerability assigning a low severity rating for the vulnerability. However, Eclypsium denied that a low severity rating is not appropriate and that they would classify the vulnerability as a critical vulnerability with 9.3 severity rating.

What steps were taken to prevent attacks

• IBM has enforced all BMCs, including those that are already reporting updated firmware to be reflashed with factory firmware before they are re-provisioned to other customers.
• Further, IBM has reset all BMC firmware passwords and has erased all logs in the BMC firmware.

“The BMC has limited processing power and memory, which makes these types of attacks difficult. IBM has found no indication that this vulnerability has been exploited for malicious purposes. In addition, all clients of IBM Cloud receive a private network for their BMCs, separate from the private networks containing other clients’ BMCs and unprovisioned BMCs,” IBM noted.