A newvulnerability dubbed Cloudborne can allow attackers to implant backdoor implants in the firmware or BMC of bare metal servers that survive client reassignment in bare metal and general cloud services, leading to a variety of attack scenarios.
Organizations deploying critical high-value apps on bare metal servers through Infrastructureas a Service (IaaS) offerings consider it the best alternative to buying their own hardware because this allows for easy and quick scaling of cloud-based applications without the need ofsharing the hardware with otherusers.
While this generally means that an organization’s critical apps are always running on dedicated servers, the fact that those servers are reclaimed and re-assigned once the client no longer needs them exposes them to firmware weaknesses and vulnerabilities that can persist between customer assignments.
As discovered by theEclypsium Research Team, attackers canimplant malicious backdoors within the firmware of cloud services’ shared infrastructure, with these implants being able to survive after the cloud service provider distributes the server to another customer.
[..] even though the hardware is dedicated to a single customer at a given point in time, they could easily be using2nd, 3rd, or nth hand hardware. [..] In a bare-metal cloud service offering, the underlying hardware could easily pass through dozens of “owners” with direct access and control over that hardware.
More exactly, bare metal servers can be compromised by potential attackers which could add malicious backdoors and code in the firmware of a server or in its baseboard management controller (BMC) with minimal skills.
“The Baseboard Management Controller (BMC) is a third-party component designed to enable remote management of a server for initial provisioning, operating system reinstall and troubleshooting,” says IBM.
Once this type of backdoor implant is successfully dropped on a bare metal server, it will survive between client switches performed by the provider.
As detailed by Eclypsium, “Truly removing a malicious implant could require the service provider to physically connect to chips to reflash the firmware, which is highly impractical at scale.”
By exploiting this vulnerability, dubbed Cloudborne, would-be attackerscan go through a number of attack scenarios:
It’s important to mention that, while a Cloudborneattack scenario was tested againstIBMs SoftLayer cloud services, the issue of backdoor implants surviving the reclamation process found by Eclypsiumis also present in the infrastructure of all other cloud providers.
IBM published details about the vulnerabilityon February 25stating that:
On some system models offered by IBM Cloud and other cloud providers, a maliciousattacker with access to the provisioned systemcould overwrite thefirmware of the BMC.The system could then be returned to the hardware pool, where the compromised BMC firmware could then be used to attack the next user of the system.
The BMC has limited processing power and memory, which makes these types of attacks difficult. IBM has found no indication that this vulnerability has been exploited for malicious purposes.In addition,all clients of IBM Cloud receive a private network for their BMCs,separate from the private networks containing other clients BMCs and unprovisioned BMCs.
As potential fixes or remediation for this security issue which got assigned a low severity by the vendor, IBM said that it forced “all BMCs, including those that are already reporting up-to-date firmware, to be reflashed with factory firmware before they are re-provisioned to other customers. All logs in the BMC firmware are erased and all passwords to the BMC firmware are regenerated.”
However, after IBM’s post describing the vulnerability and the remediation measures it took against it, “an Eclypsium researcher was able to quickly confirm that he received the same system back that he worked on before (at 16th of Feb) and there was no indication that password or firmware had been changed from the last time he used it. The researcher is conducting more testing.”
Following IBM’s publication of the vulnerability residing in theirCloud Baseboard Management Controller (BMC) Firmware,Eclypsiumalso argues that the low severity is not appropriate stating that they would “classify it as 9.3 (Critical) Severity with the following details:CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H” given its capability forhigh security-critical impact.
In addition, Eclypsiumexplains that:
While the hardware specifications of BMC hardware are low as compared with the host server, the capability for security-critical impact is high. By design, the BMC is intended for managing the host system, and as such, it is more privileged than the host. The BMC has continual access to files, memory (using DMA), keyboard/video, and firmware of the host (which is required because it needs the ability to reinstall/reconfigure it).
Even though IBM and Eclypsiumare already engaged in talks regarding the severity level of this vulnerability, other cloud vendors have yet to chime in into a discussion that could be going for a while considering the implications of such security issues on the long term and the apparently extremely hard to implement fixes.
Eclypsium’sresearch team concluded: “Since firmware underlies even the host operating system and the virtualization layers of a server, any implants would naturally be able to subvert any controls and security measuresrunning at these higher layers. [..] Given the nature and data hosted on bare metal offerings, this opens up the possibility for high-impact attack scenarios.”
Seeing that the BMC can also communicate with and send data to external networks, having the potential to also reconfigure the host’s network interface, would-be attackers are provided with all the tools they need to surreptitiously control a compromised system using one of the attack scenarios detailed by Eclypsium.
While bare metal cloud offeringsare very convenient for organizations which do not want to invest in their own hardware, security concerns such as the one the Eclypsiumresearch team unearthed might convince them to switch to hardware that they own and manage on-site to avoid having sensitive data accessed or modified, as well as critical apps disabled.
See the original post here:
Hackers Backdoor Cloud Servers to Attack Future Customers
- Linux Cloud Servers- instantly flexible - May 18th, 2019
- Pricing - Cloud Services | Microsoft Azure - May 13th, 2019
- Hybrid Cloud Security: Simplify Complex ... - Trend Micro - April 28th, 2019
- Best cloud computing services of 2019 | TechRadar - April 8th, 2019
- Cloud vs. In-House Servers: What is the Best Choice ... - January 4th, 2019
- Cloud Services | Design In The Cloud | Autodesk - December 15th, 2018
- Brinkster Cloud Servers - VMware, SolidFire SSD-Based ... - June 2nd, 2018
- Virtual Network Virtual Private Cloud | Microsoft Azure - March 29th, 2018
- Keeping Your Files Safe in Google's Cloud - New York Times - September 7th, 2017
- 5 Reasons SD-WAN, 4G LTE Are Cloud Essentials - No Jitter - September 7th, 2017
- Canon USA Advances PRISMAsync Color Print Server in Version 5.2, Offering Cloud-Based PRISMAlytics Dashboard ... - PR Newswire (press release) - September 7th, 2017
- HPE Reports Q3 Gains Along With Cloud Deal - EnterpriseTech - September 6th, 2017
- Huawei Releases the New-Generation Intelligent Cloud Hardware Platform Atlas - Markets Insider - September 6th, 2017
- Unlocking the promise of a connected world through edge cloud ... - ITProPortal - September 5th, 2017
- Want to do IoT right? You'll need more storage, networking, servers, and cloud - TechRepublic - September 5th, 2017
- So you're already in the cloud but need to come back down to Earth - The Register - September 5th, 2017
- Nasa: Our demands for repeat presidential election - Daily Nation - September 5th, 2017
- Chinese smartphone maker Xiaomi open to moving servers to India - Economic Times - September 5th, 2017
- VMware officially lands on AWS cloud with new management and security features - SiliconANGLE News (blog) - September 2nd, 2017
- VMware-on-AWS is live, and Virtzilla is now a proper SaaS player - The Register - September 2nd, 2017
- Socionext Partners with Advantech to Offer High-Density, Low-Cost ... - Design and Reuse (press release) - September 2nd, 2017
- Municipal adoption of the cloud - American City & County (blog) - August 31st, 2017
- Veeam follows Virtzilla's cloud up the Amazon - The Register - August 31st, 2017
- Where does a business's data live? - Information Age - August 31st, 2017
- IBM cooks up a hardware architecture for tastier cloud-based services - TechTarget - August 31st, 2017
- Tachyum bets on flash storage to re-architect the cloud data center - ZDNet - August 29th, 2017
- Juniper adding microsegmentation to Contrail cloud - TechTarget - August 29th, 2017
- The future of serverless cloud looks a lot like physical servers - TechRepublic - August 29th, 2017
- Demand for server specialists increases, but talent pool is small - Network World - August 29th, 2017
- The pros and cons of cloud vs in house servers - Edmonton - August 28th, 2017
- You Can Now Spin Up VMware Servers in Amazon Data Centers - Data Center Knowledge - August 28th, 2017
- Windows Server 2016 changes prompt a new look at management - TechTarget - August 28th, 2017
- Cloud security market to reach $12B by 2024, driven by rise of cyber attacks - TechRepublic - August 28th, 2017
- Jeff Pulver, Internet Pioneer of VoIP and Entrepreneur Joins ... - Markets Insider - August 28th, 2017
- Google Aims to Boost Cloud Security with Titan Chipset - BizTech Magazine - August 28th, 2017
- Oppo and Vivo plan to move cloud storage to India, following India's new directives on data security - Firstpost - August 28th, 2017
- Digital Deluge on the Cloud - Valley News - August 27th, 2017
- How Can You Improve Document Management By Integrating Cloud-Based File Sharing And What You Need To Know ... - Business 2 Community - August 27th, 2017
- Hitachi rack servers get VMware Cloud treatment The Register - The Register - August 26th, 2017
- CenturyLink enhances VMware-based DCC platform, touts software-defined data center approach - FierceTelecom - August 26th, 2017
- Biz sends apps to public cloud, waves 'bye to on-premises server ... - The Register - August 23rd, 2017
- Druva Raises Another $80 Million - Channel Partners - August 23rd, 2017
- CrashPlan alternatives: How to move to another home backup solution - Macworld - August 23rd, 2017
- VMware shares to surge more than 20% because the Amazon cloud threat is overblown: Analyst - Yahoo Finance - August 23rd, 2017
- AMD Lines Up New China Datacenter Partners - EnterpriseTech - August 23rd, 2017
- How do you bring artificial intelligence from the cloud to the edge? - TNW - August 21st, 2017
- The rice of cloud, avocado of virtualization and salmon of doubt: Let's eat storage sushi - The Register - August 21st, 2017
- 70% of firms face skill shortages for server-based roles - Cloud Pro - August 21st, 2017
- Qualcomm moved its Snapdragon designers to its ARM server chip. We peek at the results - The Register - August 21st, 2017
- Info on 1.8 million Chicago voters exposed on Amazon server - USA TODAY - August 21st, 2017
- Microsoft and Google Give Startups Options to Amazon's Cloud - Fortune - August 18th, 2017
- Cloud is the ignored dimension of security: Cisco - ZDNet - August 18th, 2017
- How AIG moved commercial claims to the cloud - Information Management - August 18th, 2017
- Oracle expands database offering to its cloud services - Network World - August 16th, 2017
- Voices Cloud security from all angles - Accounting Today - August 16th, 2017
- HostHatch launches new Cloud Servers - 5x faster than the giants, including AWS & DigitalOcean - PR Web (press release) - August 15th, 2017
- Oracle Exadata Cloud lands on bare-metal servers - Computer Business Review - August 15th, 2017
- School phones go on 'the cloud' - The Ridgefield Press - August 15th, 2017
- Datrium Announces Split Provisioning For Simple Private Cloud Consolidation At Rackscale - Markets Insider - August 15th, 2017
- New McAfee virtual network security platform offered as part of free test drive on Amazon Web Services - CTR - August 14th, 2017
- How to move into a cloud career from traditional IT - InfoWorld - August 14th, 2017
- Oracle Makes the Most Powerful Database Platform Available on the Industry's Most Advanced Cloud Infrastructure - PR Newswire (press release) - August 14th, 2017
- Frank Dinucci's Cloud Accounting Workshop Draws Many ... - Markets Insider - August 13th, 2017
- Frank Dinucci's Cloud Accounting Workshop Draws Many Entrepreneurs - PR Newswire (press release) - August 12th, 2017
- Cryptocurrencies have pulled one of Nvidia's most sluggish businesses out of the gutter - Quartz - August 11th, 2017
- GoDaddy tops Q2 targets, revenue up 22 percent - ZDNet - August 9th, 2017
- Hardware Can Still Make or Break the Cloud - IT Business Edge (blog) - August 9th, 2017
- Serverless Architectures from an MSP's Point of View - MSPmentor - August 4th, 2017
- Unisecure Data Centers Offers 15% Discount On Cloud Server Hosting Services - HostReview.com (press release) - August 2nd, 2017
- How The Cloud Will Disrupt The Ad Tech Stack - AdExchanger - August 2nd, 2017
- Packet launches edge compute service in 15 global locations - RCR Wireless News - August 2nd, 2017
- IBM adds Optane to its cloud, only as storage and without GPUs - The Register - August 2nd, 2017
- Joining Apple, Amazon's China Cloud Service Bows to Censors - New York Times - August 1st, 2017
- Cisco Launches New UCS Servers, Hybrid Cloud Management ... - SDxCentral - July 12th, 2017
- Verizon data of 6 million users leaked online - CNNMoney - July 12th, 2017
- Server vendors board the Xeon SP party bus - The Register - July 12th, 2017
- New Azure servers to pack Intel FPGAs as Microsoft ARM-lessly embraces Xeon - The Register - July 12th, 2017
- Hybrid cloud and blockchain solutions will be the future for data backup - Information Age - July 10th, 2017
- New 'Microsoft 365' package bundles Windows and Office for businesses - GeekWire - July 10th, 2017
- Tech Data Tightens Cloud Integration With Microsoft To Unlock Simpler Experience For SMBs - CRN - July 10th, 2017