Cloud servers vulnerable to attack
Firmware vulnerabilities in bare-metal cloud servers let hackers install malware and backdoors, which grant access to servers as servers are reassigned to new customers. Researchers at Eclypsium released a report on firmware security issues that represent "a fundamental gap" in cloud infrastructure security. The findings show baseboard management controllers, or BMC, built into cloud servers could put customers at risk. While the study is based on IBM SoftLayer technology, other providers may be exposed.
In most infrastructure-as-a-service products, customers share resources on a physical server. Some organizations have high performance requirements for certain applications or sensitive information they don't want on a machine shared with other firms. in these cases, providers offer bare-metal cloud services. Customers buy full access to a dedicated, physical server they can use however they want, without worrying buying and supporting additional hardware. When customers are done using a bare-metal server, the cloud provider reclaims the server, wipes it out and repurposes it for other customers. Bare-metal cloud has some advantages. There are performance improvement and the ability for businesses to install their own software stack. It also introduces new security risks as hackers have direct hardware access.
Researchers think that bare-metal servers may not be fully erased before future use. The vulnerability, which is being called Cloudborne, is in the BMC, a privileged component used to manage the server. Using the Intelligence Platform Management Interface, administrators can send commands to the server and modify/reinstall an OS without physical access to the server. Vulnerabilities in the BMC could allow any customer to leave a backdoor on the server. The problem is that if a customer is a potential hacker, they can modify firmware and infect future users of the same machine with ransomware and other threats.
Researchers bought access to a bare-metal server, verified it was running the latest BMC firmware, and noted the product chassis and serial numbers for future identification. They then made a minor change, a single bitflip inside a text comment they had prepared and created an additional IPMI user, which they gave administrative access to the BMC channels. The researchers returned the server to IBM, which reclaimed the server, and were later able to reacquire the same server. Even though the new IPMI account was gone, the changes to the BMC firmware remained. Researchers say this shows the BMC firmware wasn't re-flashed during reclamation, which makes it possible to implant malicious code into the firmware and steal data from future users. Researchers also noticed the BMC logs were retained across provisioning, as was the root password. Since the logs were not deleted, future customers could view the actions of previous server owners and hackers could use the root password for future access.
Eclypsium released their finding to IBM. In a response, IBM published a blog post stating that the issue has been addressed and no evidence was found that it has been exploited. IBM stated that it is forcing all BMCs, including those reporting up-to-date firmware, to be re-flashed with factory firmware before they are given to new customers. IBM will erase all logs in the BMC firmware and regenerate all passwords for the firmware.
IBM's response to cleaning servers before redeploying them is a good start, but not a complete resolution. The firmware update process can be hacked with malicious firmware. A hacker can flash the firmware with custom code that can prevent providers from detecting the backdoored image. Researchers also add that public tools exist to create custom firmware images for Supermicro components and that hackers can use these tools to create custom code.