Several popular Quanta Cloud Technology (QCT) server models that power hyperscale data center operations and cloud provider infrastructure are vulnerable to a critical firmware vulnerability that puts them at risk of attacks that take full control over the server — and that can spread across numerous servers on the same network.
The QCT models are vulnerable to the so-called "Pantsdown" vulnerability (CVE-2019-6260), a flaw discovered in 2019 affecting baseboard management controller (BMC) technology on a number of firmware stacks used in modern servers, according to new research published today by Eclypsium.
BMCs are minicomputers placed within servers that include their own power, firmware, memory, and networking stack. They're there to give remote administrators control over the server to manage low-level hardware settings, update host operating systems, and manage virtual hosts, applications, or data on the system. Often servers are managed through BMCs via the use of Intelligent Platform Management Interface (IPMI) controlled groups that share the same password, making it trivial to jump across systems once they compromise one BMC. That kind of concentrated privilege makes BMCs extremely juicy targets for attackers when flaws like these arise.
That attractiveness to the bad guys was on full display back in January when Eclypsium found threat actors using BMC implants in the wild via iLOBleed attacks that successfully targeted thousands of HPE servers. In that case, attackers even took steps to prevent BMC updates and falsify update success to administrators.
It's a problem that security researchers have warned about for the better part of a decade — for example, back in 2013 Metasploit creator HD Moore was drawing attention to them with some pivotal research that showed hundreds of thousands of servers running online were vulnerable to BMC flaws.
The Pantsdown flaw present on QCT servers in this most recent research and proof-of-concept has a CVSS score of 9.8 and is targeted by numerous exploits seen floating around in the wild in the past.
"This vulnerability can provide an attacker with full control over the server including the ability to propagate ransomware, stealthily steal data, or disable the BMC or the server itself," Eclypsium researchers said in a blog post about the report. "Additionally, by gaining code execution in the BMC, attackers could steal the BMC credentials, which could allow the attack to spread to other servers in the same IPMI group."
The researchers said they conducted their tests and developed the proof-of-concept against QCT servers after refreshing them with the most updated firmware package publicly accessible on QCT's download site.
"On inspection, we found that the server contained an Aspeed 2500 BMC (AST2500(A2)) and was running a version of AMI-based BMC software vulnerable to Pantsdown," they said, explaining they disclosed the flaw in October 2021 to Quanta. "At the time of writing, QCT has informed us that they have addressed the vulnerability and new firmware is available privately to their customers, but will not be made publicly available."
Watch That BMC Firmware
The proof-of-concept attack Eclypsium researchers developed had them patching Web server code while it ran in memory on the BMC and replacing it with malicious code to trigger a reverse shell when a user refreshes a webpage or connects to the server. They noted that this particular proof-of-concept requires an attacker to have root access on the physical server, but that these permissions are routinely provided by default when users rent a bare-metal instance of a server.
"Additionally, an attacker could gain root access by exploiting a web-facing application and escalating privileges or simply taking advantage of any services already running with root privileges," the research team added.
They say that this particular piece of research further emphasizes the need for organizations to regularly verify the integrity of their BMC firmware.