Some QCT servers vulnerable to 'Pantsdown' flaw say security researchers

The vulnerability, now patched, was issued a critical severity score of 9.8.
Written by Charlie Osborne, Contributing Writer

Researchers have disclosed the existence of the critical "Pantsdown" vulnerability in some Quanta Cloud Technology (QCT) server models. 

On Thursday, cybersecurity firm Eclypsium said that several servers belonging to the data center solutions provider were still vulnerable to the bug, which has been publicly known for years now. 

The vulnerability, tracked as CVE-2019-6260, was first discovered in January 2019. At the time one security researcher described it as "the nature of feeling that we feel that we've caught chunks of the industry with their…."

CVE-2019-6260, issued a CVSS severity score of 9.8, or critical, is a vulnerability in ASPEED Baseband Management Controller (BMC) hardware & firmware. AHB bridges, in particular, can be exploited for arbitrary read/write access, leading to information leaks, code execution, data tampering or theft, or denial-of-service (DoS) attacks. 

At the time of disclosure, Pantsdown impacted multiple firmware BMC stacks including AMI, SuperMicro, and OpenBMC (up to v.2.6).

Exploits exist in the wild that harness the Pantsdown bug, potentially placing enterprise servers at risk. 

According to Eclypsium, some QCT server models are still vulnerable to CVE-2019-6260. The team tested a QuantaGrid D52B rackmount server containing update package version 1.12 -- with a release date of 2019.04.23 -- and BIOS version 3B13, as well as BMC version 4.55.00. 

"This same firmware package names support for D52BQ-2U, D52BQ-2U 3UPI, and D52BV-2U models of the server," the team noted. "On inspection, we found that the server contained an Aspeed 2500 BMC (AST2500(A2)) and was running a version of AMI-based BMC software vulnerable to Pantsdown."

During tests, the researchers were able to patch the web server code while it was running in memory on the BMC by exploiting CVE-2019-6260, granting themselves read/write access to memory. Furthermore, they could replace it with their own crafted code to trigger a reverse shell whenever a user attempted to connect to the server or refresh its linked webpage. 

Eclypsium created proof-of-concept (PoC) code that they say "demonstrates how even an unsophisticated attacker with remote access to the operating system could leverage this vulnerability to gain code execution within the BMC of QCT servers."

The presence of the vulnerability in Quanta servers was disclosed on October 7, 2021. According to Eclypsium, QCT has now patched the vulnerability and new firmware was made available privately to customers. 

Eclypsium VP of Technology, John Loucaides, told ZDNet:

"Unfortunately, we cannot be sure just how many server models are vulnerable. Some of our partners have run our tests on other models and found the same issue. Given that even some major manufacturers did not run comprehensive tests for this, no one is likely to have a complete list."

ZDNet has reached out to Quanta and we will update when we hear back. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards