Hackers can hijack bare-metal cloud servers by corrupting their BMC firmware

Cloud providers are failing to wipe bare-metal servers clean when re-assigning them to new clients.

Server rack data center

Hackers can corrupt the firmware of bare-metal cloud servers and regain access to servers after they've been released and reassigned to other customers, a report published today reveals.

Bare-metal server is a term used in the cloud services industry to describe a physical (hardware) server that is rented to one customer only, at a time.

The customer rents a bare-metal server to which it has full and complete access. They can make any modifications they like and use the servers for various purposes without fearing that the machine might be secretly shared with other customers at the same time --as is the case of most of today's virtualization-based cloud hosting solutions.

The idea is that once a customer is done using the server, they release it back to the cloud company, and the provider will wipe the server software and any customer data, and later make it available to other customers.

But in an experiment carried by hardware security firm Eclypsium, the company's security researchers discovered that cloud service providers might be failing when it comes to properly wiping bare-metal servers.

The Eclypsium team says it was able to make modifications to a server's BMC firmware, which they say an attacker can abuse to access the server after it was wiped and reassigned to another customer.

BMC stands for baseboard management controller, and is a computer/server component that contains its own CPU, storage system, and LAN interface that allows a remote admin to connect to or send instructions to the PC/server to perform various operations, such as modify OS settings, reinstall the OS, or update drivers.

The Eclypsium team has a history in finding and exploiting BMC firmware flaws. Last year, researchers discovered vulnerabilities in the BMC firmware of Super Micro motherboards.

They also showed in an experiment how they were able to abuse those flaws to brick a server by altering its BMC firmware to destroy the server's more important UEFI firmware, rendering the server useless.

But threat actors rarely brick servers. They are usually more interested in data theft. For their latest experiment, Eclypsim researchers used their knowledge of the Super Micro BMC firmware flaw to show how an attacker could abuse this vulnerability in a more dangerous way --breaching companies' networks and later stealing data.

"We tested this scenario against IBM's SoftLayer cloud services," the research team said. "The issues that we tested for in the experiment are common to many cloud providers and should not be considered limited to IBM SoftLayer."

"We originally chose SoftLayer for our testing environment because of its simplified logistics and access to hardware but noticed SoftLayer was using SuperMicro server hardware that based on our previous research we knew were vulnerable," Eclypsium said. "It should be noted that SoftLayer uses other hardware vendors in addition to SuperMicro, and SuperMicro devices are used by many other service providers."

Their test, which they called Cloudborne, was successful, with the research team managing to update a rented bare-metal server's BMC firmware with one they had prepared in advance.

The BMC firmware Eclypsium uploaded contained just one single bit flip, so they would be able to recognize it at a later point, but any malicious code could have been packed within the BMC firmware, such as backdoor accounts, port settings changed to open by default, and others.

Furthermore, they also found other security issues that could have been exploited by attackers, even if they didn't have the skills to alter BMC firmware.

"We also noticed that BMC logs were retained across provisioning and BMC root password remained the same across provisioning," the team said. "By not deleting the logs, a new customer could gain insight into the actions and behaviors of the previous owner of the device, while knowing the BMC root password could enable an attacker to more easily gain control over the machine in the future."

The issues described by the Eclypsium team show a new type of attack surface that cloud providers with bare-metal servers weren't aware of. Eclypsium researchers recommend that wiping bare-metal server operations should also involve reflashing the BMC firmware and using per-client unique BMC root passwords.

IBM appears to be taking Eclypsium's advice, at least on the surface. In a blog post yesterday, the company said it configured its cloud service to reflash all BMC firmware to factory settings and erase all logs and generate new passwords for each client. Eclypsium's only issue with the IBM's response was that the cloud service provider classified the issue as a "Low Severity" while Eclypsium saw it as a "Critical Severity" issue with a severity score of 9.3 out of 10.

Related cyber-security coverage: