Antihack Blog

Hackers Backdoor Cloud Servers to Attack Future Customers

20 Mar 2019

A new vulnerability dubbed Cloudborne can allow attackers to implant backdoor implants in the firmware or BMC of bare metal servers that survive client reassignment in bare metal and general cloud services, leading to a variety of attack scenarios.

Organizations deploying critical high-value apps on bare metal servers through Infrastructure as a Service (IaaS) offerings consider it the best alternative to buying their own hardware because this allows for easy and quick scaling of cloud-based applications without the need of sharing the hardware with other users.

While this generally means that an organization's critical apps are always running on dedicated servers, the fact that those servers are reclaimed and re-assigned once the client no longer needs them exposes them to firmware weaknesses and vulnerabilities that can persist between customer assignments.

Attackers can implant persistent backdoors

As discovered by the Eclypsium Research Team, attackers can implant malicious backdoors within the firmware of cloud services' shared infrastructure, with these implants being able to survive after the cloud service provider distributes the server to another customer.

[..] even though the hardware is dedicated to a single customer at a given point in time, they could easily be using 2nd, 3rd, or nth hand hardware. [..] In a bare-metal cloud service offering, the underlying hardware could easily pass through dozens of "owners" with direct access and control over that hardware.

More exactly, bare metal servers can be compromised by potential attackers which could add malicious backdoors and code in the firmware of a server or in its baseboard management controller (BMC) with minimal skills.

"The Baseboard Management Controller (BMC) is a third-party component designed to enable remote management of a server for initial provisioning, operating system reinstall and troubleshooting," says IBM.

Once this type of backdoor implant is successfully dropped on a bare metal server, it will survive between client switches performed by the provider.

As detailed by Eclypsium, "Truly removing a malicious implant could require the service provider to physically connect to chips to reflash the firmware, which is highly impractical at scale."

Multiple attack scenarios

By exploiting this vulnerability, dubbed Cloudborne, would-be attackers can go through a number of attack scenarios:

Performing a permanent denial-of-service (PDoS) attack or just bricking the compromised bare metal server
Stealing or intercepting data from the application running on the cloud service
Running a ransomware-type of attack by either damaging data on the bare metal server or disabling the application
It's important to mention that, while a Cloudborne attack scenario was tested against IBM’s SoftLayer cloud services, the issue of backdoor implants surviving the reclamation process found by Eclypsium is also present in the infrastructure of all other cloud providers.

Different severity rating from IBM and Eclypsium
IBM published details about the vulnerability on February 25 stating that:

On some system models offered by IBM Cloud and other cloud providers, a malicious attacker with access to the provisioned system could overwrite the firmware of the BMC. The system could then be returned to the hardware pool, where the compromised BMC firmware could then be used to attack the next user of the system.

The BMC has limited processing power and memory, which makes these types of attacks difficult. IBM has found no indication that this vulnerability has been exploited for malicious purposes. In addition, all clients of IBM Cloud receive a private network for their BMCs, separate from the private networks containing other clients’ BMCs and unprovisioned BMCs.

As potential fixes or remediation for this security issue which got assigned a low severity by the vendor, IBM said that it forced "all BMCs, including those that are already reporting up-to-date firmware, to be reflashed with factory firmware before they are re-provisioned to other customers. All logs in the BMC firmware are erased and all passwords to the BMC firmware are regenerated."

However, after IBM's post describing the vulnerability and the remediation measures it took against it, "an Eclypsium researcher was able to quickly confirm that he received the same system back that he worked on before (at 16th of Feb) and there was no indication that password or firmware had been changed from the last time he used it.  The researcher is conducting more testing."

Following IBM's publication of the vulnerability residing in their Cloud Baseboard Management Controller (BMC) Firmware, Eclypsium also argues that the low severity is not appropriate stating that they would "classify it as 9.3 (Critical) Severity with the following details: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" given its capability for high security-critical impact.

In addition, Eclypsium explains that:

While the hardware specifications of BMC hardware are low as compared with the host server, the capability for security-critical impact is high. By design, the BMC is intended for managing the host system, and as such, it is more privileged than the host. The BMC has continual access to files, memory (using DMA), keyboard/video, and firmware of the host (which is required because it needs the ability to reinstall/reconfigure it).

Other cloud vendors not yet present in the discussion
Even though IBM and Eclypsium are already engaged in talks regarding the severity level of this vulnerability, other cloud vendors have yet to chime in into a discussion that could be going for a while considering the implications of such security issues on the long term and the apparently extremely hard to implement fixes.

Eclypsium's research team concluded: "Since firmware underlies even the host operating system and the virtualization layers of a server, any implants would naturally be able to subvert any controls and security measures running at these higher layers. [..] Given the nature and data hosted on bare metal offerings, this opens up the possibility for high-impact attack scenarios."

Seeing that the BMC can also communicate with and send data to external networks, having the potential to also reconfigure the host's network interface, would-be attackers are provided with all the tools they need to surreptitiously control a compromised system using one of the attack scenarios detailed by Eclypsium.

While bare metal cloud offerings are very convenient for organizations which do not want to invest in their own hardware, security concerns such as the one the Eclypsium research team unearthed might convince them to switch to hardware that they own and manage on-site to avoid having sensitive data accessed or modified, as well as critical apps disabled.

Sourced from: Bleeping Computer

Share this link: