A newvulnerability dubbed Cloudborne can allow attackers to implant backdoor implants in the firmware or BMC of bare metal servers that survive client reassignment in bare metal and general cloud services, leading to a variety of attack scenarios.
Organizations deploying critical high-value apps on bare metal servers through Infrastructureas a Service (IaaS) offerings consider it the best alternative to buying their own hardware because this allows for easy and quick scaling of cloud-based applications without the need ofsharing the hardware with otherusers.
While this generally means that an organization's critical apps are always running on dedicated servers, the fact that those servers are reclaimed and re-assigned once the client no longer needs them exposes them to firmware weaknesses and vulnerabilities that can persist between customer assignments.
As discovered by theEclypsium Research Team, attackers canimplant malicious backdoors within the firmware of cloud services' shared infrastructure, with these implants being able to survive after the cloud service provider distributes the server to another customer.
[..] even though the hardware is dedicated to a single customer at a given point in time, they could easily be using2nd, 3rd, or nth hand hardware. [..] In a bare-metal cloud service offering, the underlying hardware could easily pass through dozens of "owners" with direct access and control over that hardware.
More exactly, bare metal servers can be compromised by potential attackers which could add malicious backdoors and code in the firmware of a server or in its baseboard management controller (BMC) with minimal skills.
"The Baseboard Management Controller (BMC) is a third-party component designed to enable remote management of a server for initial provisioning, operating system reinstall and troubleshooting," says IBM.
Once this type of backdoor implant is successfully dropped on a bare metal server, it will survive between client switches performed by the provider.
As detailed by Eclypsium, "Truly removing a malicious implant could require the service provider to physically connect to chips to reflash the firmware, which is highly impractical at scale."
By exploiting this vulnerability, dubbed Cloudborne, would-be attackerscan go through a number of attack scenarios:
It's important to mention that, while a Cloudborneattack scenario was tested againstIBMs SoftLayer cloud services, the issue of backdoor implants surviving the reclamation process found by Eclypsiumis also present in the infrastructure of all other cloud providers.
IBM published details about the vulnerabilityon February 25stating that:
On some system models offered by IBM Cloud and other cloud providers, a maliciousattacker with access to the provisioned systemcould overwrite thefirmware of the BMC.The system could then be returned to the hardware pool, where the compromised BMC firmware could then be used to attack the next user of the system.
The BMC has limited processing power and memory, which makes these types of attacks difficult. IBM has found no indication that this vulnerability has been exploited for malicious purposes.In addition,all clients of IBM Cloud receive a private network for their BMCs,separate from the private networks containing other clients BMCs and unprovisioned BMCs.
As potential fixes or remediation for this security issue which got assigned a low severity by the vendor, IBM said that it forced "all BMCs, including those that are already reporting up-to-date firmware, to be reflashed with factory firmware before they are re-provisioned to other customers. All logs in the BMC firmware are erased and all passwords to the BMC firmware are regenerated."
However, after IBM's post describing the vulnerability and the remediation measures it took against it, "an Eclypsium researcher was able to quickly confirm that he received the same system back that he worked on before (at 16th of Feb) and there was no indication that password or firmware had been changed from the last time he used it. The researcher is conducting more testing."
Following IBM's publication of the vulnerability residing in theirCloud Baseboard Management Controller (BMC) Firmware,Eclypsiumalso argues that the low severity is not appropriate stating that they would "classify it as 9.3 (Critical) Severity with the following details:CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" given its capability forhigh security-critical impact.
In addition, Eclypsiumexplains that:
While the hardware specifications of BMC hardware are low as compared with the host server, the capability for security-critical impact is high. By design, the BMC is intended for managing the host system, and as such, it is more privileged than the host. The BMC has continual access to files, memory (using DMA), keyboard/video, and firmware of the host (which is required because it needs the ability to reinstall/reconfigure it).
Even though IBM and Eclypsiumare already engaged in talks regarding the severity level of this vulnerability, other cloud vendors have yet to chime in into a discussion that could be going for a while considering the implications of such security issues on the long term and the apparently extremely hard to implement fixes.
Eclypsium'sresearch team concluded: "Since firmware underlies even the host operating system and the virtualization layers of a server, any implants would naturally be able to subvert any controls and security measuresrunning at these higher layers. [..] Given the nature and data hosted on bare metal offerings, this opens up the possibility for high-impact attack scenarios."
Seeing that the BMC can also communicate with and send data to external networks, having the potential to also reconfigure the host's network interface, would-be attackers are provided with all the tools they need to surreptitiously control a compromised system using one of the attack scenarios detailed by Eclypsium.
While bare metal cloud offeringsare very convenient for organizations which do not want to invest in their own hardware, security concerns such as the one the Eclypsiumresearch team unearthed might convince them to switch to hardware that they own and manage on-site to avoid having sensitive data accessed or modified, as well as critical apps disabled.
See the original post here:
Hackers Backdoor Cloud Servers to Attack Future Customers
- 13 Cloud-Based Services Every Tech Department Should Invest In - Forbes - February 19th, 2020
- Cohesity Announces First ROBO Solution That Combines Backup and Recovery, File and Object Services, and Cloud Archival on Certified Servers From Key... - February 19th, 2020
- G-Core spreads its cloud and edge connectivity to London - Data Economy - February 19th, 2020
- Outwood Trust Academies opts for cloud-like technology, without the cost - Diginomica - February 19th, 2020
- Snow Software-Embotics Named a Leader in the 2020 Gartner Magic Quadrant for Cloud Management Platforms for Second Straight Year - Yahoo Finance - February 19th, 2020
- Mapping in the Cloud - Offshore Engineer - February 19th, 2020
- Is there real benefit in cloud for SA businesses? - Bizcommunity.com - February 19th, 2020
- Atos and Microsoft join forces to deliver better SAP cloud performance - Data Economy - February 19th, 2020
- Spikes in High-Risk Vulnerabilities and Public Cloud-Based Attacks Dominate Threat Landscape, Imperva Researchers Find With New Cyber Threat Index -... - February 19th, 2020
- Apple Watch may have saved the life of a 13-year-old in Oklahoma - iMore - February 19th, 2020
- Asian Wealth Management and Asian Private Banking - CJC Expands Cloud Propositions With Launch of DACS in the Cloud Solution - Hubbis - February 19th, 2020
- Cloud misconfigurations expose over 33 billion records in two years - BetaNews - February 19th, 2020
- Veego Home Scoring Delivers Real-Time Evaluations of Connected-Home Quality - PR Web - February 19th, 2020
- Edited Transcript of 4704.T earnings conference call or presentation 18-Feb-20 7:00am GMT - Yahoo Finance - February 19th, 2020
- How Much Does It Cost To Build Cloud Computing Service? - Customer Think - February 15th, 2020
- How to protect against the most pressing threat to healthcare clouds today - Healthcare IT News - February 15th, 2020
- Q&A: Digging Into the Channel Significance of the AppScale-Packet News - Channel Futures - February 15th, 2020
- How AI In Edge Computing Drives 5G And The IoT - SemiEngineering - February 15th, 2020
- Online voting takes another hit - GCN.com - February 15th, 2020
- Security Researchers Find Flaws in Online Voting System Tested in Five States - Mother Jones - February 15th, 2020
- Five cloud-based tools your business needs - IT PRO - February 15th, 2020
- DDoS report reveals that the complexity and volume of attacks continues to grow - Continuity Central - February 15th, 2020
- How To Fill Your Data Lakes And Not Lose Control Of The Data - Forbes - February 15th, 2020
- The Biometric Threat by Jayati Ghosh - Project Syndicate - February 15th, 2020
- Throwing Down The Gauntlet To CPU Incumbents - The Next Platform - February 15th, 2020
- China retreats online to weather coronavirus storm - The Jakarta Post - Jakarta Post - February 15th, 2020
- Global IT Security Market Size, Share, Growth Rate and Gross Margin, Industry Chain Analysis, Development Trends & Industry Forecast Report 2025 -... - February 15th, 2020
- X-Force Threat Intelligence Index Reveals Top Cybersecurity Risks of 2020 - Security Intelligence - February 15th, 2020
- The APAC data center market is expected to grow at a CAGR of over 3% during the period 20192025 - GlobeNewswire - February 15th, 2020
- Spotting the elephant in the room: Why cloud will not burst colo's bubble just yet - Cloud Tech - February 11th, 2020
- The frequency of DDoS attacks depends on the day and time - Help Net Security - February 11th, 2020
- State and Local Agencies Learn Cloud Strategies from the Feds - StateTech Magazine - February 11th, 2020
- ARMs new edge AI chips promise IoT devices that wont need the cloud - The Verge - February 11th, 2020
- Configuration mistakes blamed for bulk of stolen records last year: IBM - IT World Canada - February 11th, 2020
- IT infrastructure trends 2020 - Verdict - February 11th, 2020
- Why Profits From Amazon's Cloud Business Could Be About to Soar - Motley Fool - February 8th, 2020
- Sophos is named one of the coolest cloud companies - Naked Security - February 8th, 2020
- Interpreting Top Dos and Don'ts While Migrating to the Cloud - Analytics Insight - February 8th, 2020
- EnGenius Cloud-Based Management For Networks Could Save You A Heap Of Time, Money And Carbon - Forbes - February 8th, 2020
- Pillars of AWS Well-Architected Framework - TechiExpert.com - February 8th, 2020
- Enabling the Network Edge With Hardware-Based Acceleration - The Fast Mode - February 8th, 2020
- Global Automotive Telematics Market Industry Analysis, Size, Share, Growth, Trends and Forecast 2019-2026 - Virtual-Strategy Magazine - February 8th, 2020
- The 13 Top Integration Platform as a Service Vendors for 2020 - Solutions Review - February 8th, 2020
- State of the Cloud, February 2020 - Cloudwards - February 8th, 2020
- Microsoft Made The Same Move That Launched Amazon 3,848% - Forbes - February 8th, 2020
- IGEL Teams with AMD to Optimize the UD3 Endpoint for Cloud Workspaces - Yahoo Finance - February 8th, 2020
- Return of the IT architects: how edge computing is unlocking value for global organisations - ITProPortal - February 8th, 2020
- Why we invested in Run - CoinGeek - February 6th, 2020
- Cloud Capex Is Growing Again - But the Spending Is Now More Efficient - TheStreet - February 6th, 2020
- Cloudtech startup Rapyder has partnered with AWS to help clients with digital transformation - YourStory - February 6th, 2020
- Data breach exposes need to secure cloud servers - IT-Online - February 6th, 2020
- DARPA plans shift from AWS and on-prem to multicloud by 2022 - DatacenterDynamics - February 6th, 2020
- What AMD And Intel Quarterly Numbers Say About Datacenter Business - Forbes - February 6th, 2020
- Netskope hauls in another $340M investment on nearly $3B valuation - TechCrunch - February 6th, 2020
- How an Accounting Tweak Will Make Amazon's Most Profitable Business Even More Profitable - The Motley Fool - February 6th, 2020
- Difference Between Authorization and Authentication - Security Boulevard - February 6th, 2020
- Options Partners with Pure, Leverages Pure as-a-Service to Deliver All-NVMe, All Flash Cloud - HPCwire - February 6th, 2020
- IGEL Teams with AMD to Optimize the UD3 Endpoint for Cloud Workspaces - PRNewswire - February 6th, 2020
- Infrastructure-as-code templates are source of cloud infrastructure weaknesses - TechCentral.ie - February 6th, 2020
- Windows Server and the future of file servers in the cloud computing world - TechRepublic - February 4th, 2020
- Government proposal to put police child abuse image database on the cloud raises hacking fears - Telegraph.co.uk - February 4th, 2020
- Which [r]evolution to expect for cloud computing in 2020? - Data Economy - February 4th, 2020
- Top 10 Cloud Computing Groups on LinkedIn in 2020 - Analytics Insight - February 4th, 2020
- Southeast Asia Cloud Computing Market size to USD 40.32 billion by 2025 according to a new research report - WhaTech Technology and Markets News - February 4th, 2020
- Current research: Cloud Hosting Service Market status and prospect to 2026 - WhaTech Technology and Markets News - February 4th, 2020
- Tachyum's Reference Design Will Be Used In a 2021 AI/HPC Supercomputer - Business Wire - February 4th, 2020
- Cohesity loses cohesion: Rapidly diversifying firm has an identity problem - Blocks and Files - February 4th, 2020
- Options for the Windows Server 2008 End of Life Blues - ITPro Today - February 4th, 2020
- Maintaining Uptime in the Data Center Is No Game of Checkers - Data Economy - February 4th, 2020
- Using the Cloud: Seven Top Security Threats to Know About - Infosecurity Magazine - February 1st, 2020
- What Is A Data Passport: Building Trust, Data Privacy And Security In The Cloud - Forbes - February 1st, 2020
- Apple, Amazon, Microsoft and Alphabet have traveled similar paths on the road to $1 trillion - CNBC - February 1st, 2020
- Directory Migration Timing: 11 Opportunities to Ditch Active Directory - Security Boulevard - February 1st, 2020
- Australias Iconic Hotels taps cloud for speed and cost savings - ComputerWeekly.com - February 1st, 2020
- Apples redesigned Maps app is available across the US, adds real-time transit for Miami - TechCrunch - February 1st, 2020
- The 28 Best Data Analytics Software and Top Tools for 2020 - Solutions Review - February 1st, 2020
- HyperFlex becomes mates with K8s: No need to go through vSphere first - Blocks and Files - February 1st, 2020
- ControlUp Update Adds Native Integration with VMware Horizon - Virtualization Review - February 1st, 2020
- Arista Networks - Is This A Phoenix And The Implications Of The Apparent Big Switch Acquisition - Seeking Alpha - February 1st, 2020
- Unlocking the Key to the Cloud - Security Boulevard - January 23rd, 2020