A newly disclosed security vulnerability may enable hackers to exploit a common component of server motherboards to compromise data companies store in the cloud.

The vulnerability, dubbed Cloudborne, was detailed today by Andreessen Horowitz-backed security startup Eclypsium Inc. It affects the so-called baseboard management controllers that commonly ship with servers motherboards, including those used by cloud providers in their data centers. 

BMCs are specialized chips that enable administrators to perform changes on a server even if it’s not turned on. They’re a handy means of performing troubleshooting when an issue is preventing a machine from booting. BMCs provide the ability to modify a server’s firmware, make configuration changes and even reinstall the entire operating system if necessary.

But this utility comes with risks. Over the past few years, researchers have found numerous security issues in BMCs that can potentially enable hackers to access or disable a server. Many of the weaknesses affect products from Super Micro Computer Inc., one of the main biggest suppliers of server motherboards to cloud providers and enterprises.

Cloudborne becomes a threat when a vulnerable Supermicro motherboard ends up in a bare-metal cloud server. These are machines that infrastructure-as-a-service providers offer specifically for important workloads such as databases.

Companies that rent a bare-metal server don’t have to share its hardware resources with other users, as is the case when it comes to regular cloud instances. But bare-metal servers are ultimately still rented systems that change hands between customers. According to Eclypsium, Cloudborne can be exploited if a cloud provider fails to reset a machine’s firmware fully before reassigning it to a new user.

The startup demonstrated the vulnerability in a test on IBM Corp.’s SoftLayer cloud platform. They rented a bare-metal server, changed a single bit in the firmware and then deprovisioned the machine, at which point it should have been reset. But after renting the same machine again, Eclypsium found the changed bit stayed in the firmware. 

In practice, this means that a hacker could potentially infect a bare-metal server with malware or create a backdoor to compromise the next customer that rents the machine. 

“The combination of using vulnerable hardware and not re-flashing the firmware makes it possible to implant malicious code into the server’s BMC firmware and inflict damage or steal data from IBM clients that use that server in the future,” Eclypsium’s researchers explained.

“We also noticed that BMC logs were retained across provisioning, and BMC root password remained the same across provisioning,” they added. “By not deleting the logs, a new customer could gain insight into the actions and behaviors of the previous owner of the device.”

In a security advisory released shortly before the disclosure, IBM said it has taken steps to remedy the issue.

But in their report, the researchers cautioned that “this is not an issue limited to any one service provider.” They also suggested the vulnerability might pose a threat to regular, virtual cloud instances, though such machines are fairly resistant to BMC-based attacks. 

Photo: Free-Photos/Pixabay