OpenBMC caught with 'pantsdown' over new security flaw

Multiple BMC firmware stacks are affected.

A severe vulnerability has been found which impacts multiple Baseboard Management Controller (BMC) firmware stacks and hardware.

The bug, CVE-2019-6260, has been nicknamed "pantsdown" according to Software Engineer at the IBM Linux Technology Center  Stewart Smith, who published a technical write-up on the security issue on Wednesday and said the flaw could best be described as "the nature of feeling that we feel that we've caught chunks of the industry with their…."

The vulnerability comes into play during special circumstances based on hardware configuration and BMC setups, such as in bare-metal cloud hosting arrangements.

Also: Even if you're off social media, your friends could be ruining your privacy CNET

In particular, systems using the ASPEED ast2400 and ast2500 system-on-chips (SoCs) are affected. Other hardware has not been tested.

OpenBMC versions up to at least 2.6 on all supported Aspeed-based platforms are also impacted.

Smith says that the vulnerability lies in how the ASPEED ast2400 and ast2500 BMC implement Advanced High-performance Bus (AHB) bridges, which permit arbitrary read/write access to the BMC's physical address space from the host, or from the network if the BMC console uart is attached to a serial concentrator.

"Common configuration of the ASPEED BMC SoC's hardware features leaves it open to "remote" unauthenticated compromise from the host and from the BMC console," Smith says. "This stems from AHB bridges on the LPC and PCIe buses, another on the BMC console UART (hardware password protected), and the ability of the X-DMA engine to address all of the BMC's M-Bus (memory bus)."

Multiple BMC firmware stacks are impacted, including OpenBMC, AMI's BMC, and SuperMicro, according to the researcher. The vulnerability is independent of host processor architecture and has been detected on systems with x86_64 IBM POWER processors.

See also: DarkHydrus abuses Google Drive to spread RogueRobin Trojan

Smith says it is possible that other architectures may also be affected but no others have been tested.

If exploited, unauthenticated access may lead to malware execution, firmware flashing or the dump of firmware of a running BMC from the host; arbitrary reads or writes, configuration tampering, or even BMC bricking by disabling the CPU click until a future power cycle.

It may also be possible to configure an in-band BMC console from the host, and although this particular attack may require valid login credentials, this can be circumvented by changing the lock on a BMC by replacing root shadow password hashes in RAM.  

The iLPC2AHB bridge Pt I, iLPC2AHB bridge Pt II, PCIe VGA P2A bridge, DMA from/to arbitrary BMC memory via X-DMA, UART-based SoC Debug interface, LPC2AHB bridge, PCIe BMC P2A bridge, and Watchdog setup are all affected in ways ranging from arbitrary read and writes to the exposure of RAM or vulnerable parts of the BMC's address-space to a host and both unauthorized memory and IO accesses.

Also: Hackers turn to data theft and resale on the Dark Web for higher payouts TechRepublic

"There is some debate on if this is a local or remote vulnerability, and it depends on if you consider the connection between the BMC and the host processor as a network or not," Smith added.

The researcher says that resolving the vulnerability is platform-dependant as it requires a fix to be issued to both BMC firmware and host firmware.

IBM's OpenPOWER systems have issued patches to mitigate the issue on both the host and BMC side.

ZDNet has reached out to multiple vendors impacted by the bug and will update if we hear back.

Previous and related coverage