Bare metal flaw allows hackers to put backdoors into cloud servers

Cloudbourne exploit could enable hackers to attack any client on cloud-based servers

A new flaw has been discovered by security researchers that could enable hackers to install backdoors on the firmware of bare-metal cloud servers that stay active even when the customer using the hardware has been re-assigned elsewhere.

Called "Cloudbourne", the vulnerability was first discovered by researchers at the Eclypsium Research Team, who detailed their findings in a blog post. They found that hackers could plant backdoors and malware in the firmware of a server, or in its baseboard management controller (BMC), with relative ease.

These BMCs enable remote management of a server for initial provisioning, operating system reinstall and troubleshooting. Cloudborne exploits a flaw in the hardware's reclamation process when moving clients on and off a bare metal server.

While physical servers are dedicated to one customer at a time, they don't stay that way forever," said researchers. "Servers are provisioned and reclaimed over time and naturally move from customer to customer."

The firmware of the hardware is not reflashed in the reclamation process, allowing backdoors to persist. A hacker uses a known vulnerability in Supermicro hardware to rewrite the BMC and gain direct access to the hardware.

Researchers said that hackers "could spend a nominal sum of money for access to a server, implant malicious firmware at the UEFI, BMC, or even component level, such as in drives or network adapters. Then the attacker could release the hardware back to the service provider, which could put it back into use with another customer."

They added that given a BMC's ability to control the server, any compromises to that firmware can provide access to powerful tools for an attacker to exploit.

"Given the nature of the applications and data hosted on bare-metal offerings, this opens up the possibility for high-impact attack scenarios," they said.

These scenarios include application disruption, where a malicious implant at the BMC level could permanently disable a server; data theft, as it provides attackers with another very low-level way of stealing or intercepting data; and ransomware attacks, as attackers would naturally have the ability to take hold of valuable assets.

The backdoor could also compromise other parts of cloud infrastructure. For example, hackers could send malicious IPMI commands over system interfaces from the host without the commands being authenticated.

"Since there is no authentication performed when using system interfaces, the only barrier to running arbitrary code within the BMC is whether the BMC itself performs cryptographically secure signature verification of the firmware update image before applying the update. Unfortunately, not all BMCs perform this check, and even when they do, malware can exploit vulnerabilities in the BMC firmware to bypass it," noted researchers.

Researchers said that as firmware underlies even the host operating system and the virtualization layers of a server, any implants would naturally be able to subvert any controls and security measures running at these higher layers.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

The care and feeding of cloud
Whitepaper

The care and feeding of cloud

24 Feb 2021
Address multi-cloud configuration risks
Whitepaper

Address multi-cloud configuration risks

24 Feb 2021
Atlassian’s new cloud offering addresses enterprises’ core needs
cloud management

Atlassian’s new cloud offering addresses enterprises’ core needs

18 Feb 2021
How to scale your organisation in the cloud
Whitepaper

How to scale your organisation in the cloud

17 Feb 2021

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021