Two years ago, ransomware crooks breached hardware-maker Gigabyte and dumped more than 112 gigabytes of data that included information from some of its most important supply-chain partners, including Intel and AMD. Now researchers are warning that the leaked information revealed what could amount to critical zero-day vulnerabilities that could imperil huge swaths of the computing world.

The vulnerabilities reside inside firmware that Duluth, Georgia-based AMI makes for BMCs (baseboard management controllers). These tiny computers soldered into the motherboard of servers allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of computers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system—even when it’s turned off. BMCs provide what’s known in the industry as “lights-out” system management.

Lights-out forever

Researchers from security firm Eclypsium analyzed AMI firmware leaked in the 2021 ransomware attack and identified vulnerabilities that had lurked for years. They can be exploited by any local or remote attacker with access to an industry-standard remote-management interface known as Redfish to execute malicious code that will run on every server inside a data center.

Until the vulnerabilities are patched using an update AMI published on Thursday, they provide a means for malicious hackers—both financially motivated or nation-state sponsored—to gain superuser status inside some of the most sensitive cloud environments in the world. From there, the attackers could install ransomware and espionage malware that runs at some of the lowest levels inside infected machines. Successful attackers could also cause physical damage to servers or indefinite reboot loops that a victim organization can’t interrupt. Eclypsium warned such events could lead to “lights out forever” scenarios.

In a post published Thursday, Eclypsium researchers wrote:

These vulnerabilities range in severity from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser permissions. They can be exploited by remote attackers having access to Redfish remote management interfaces, or from a compromised host operating system. Redfish is the successor to traditional IPMI and provides an API standard for the management of a server’s infrastructure and other infrastructure supporting modern data centers. Redfish is supported by virtually all major server and infrastructure vendors, as well as the OpenBMC firmware project often used in modern hyperscale environments.

These vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing. In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can be passed on to many cloud services. As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use. They can also impact upstream suppliers to organizations and should be discussed with key 3rd parties as part of general supply chain risk management due diligence.

BMCs are designed to provide administrators with near total and remote control over the servers they manage. AMI is a leading provider of BMCs and BMC firmware to a wide range of hardware vendors and cloud service providers. As a result, these vulnerabilities affect a very large number of devices, and could enable attackers to gain control of or cause damage not only to devices but to data centers and cloud service infrastructure. The same logic flaws may affect devices in fall-back data centers in different geographic regions part of the same service provider, and can challenge assumptions cloud providers (and their customers) often make in the context of risk management and continuity of operations.

The researchers went on to note that if they could locate the vulnerabilities and write exploits after analyzing the publicly available source code, there’s nothing stopping malicious actors from doing the same. And even without access to the source code, the vulnerabilities could still be identified by decompiling BMC firmware images. There’s no indication malicious parties have done so, but there’s also no way to know they haven’t.

The researchers privately notified AMI of the vulnerabilities, and the company created firmware patches, which are available to customers through a restricted support page. AMI has also published an advisory here.

The vulnerabilities are:

• CVE-2023-34329, an authentication bypass via HTTP headers that has a severity rating of 9.9 out of 10, and
• CVE-2023-34330, Code injection via Dynamic Redfish Extension. Its severity rating is 8.2.

https://arstechnica.com/?p=1955540

Firmware and hardware security company Eclypsium has disclosed information on two new vulnerabilities found by its researchers in the American Megatrends (AMI) MegaRAC Baseboard Management Controller (BMC) software.

Eclypsium disclosed other flaws discovered as part of the same research project in December 2022. The analysis focused on information leaked as a result of a ransomware attack launched in 2021 against motherboard maker Gigabyte, a supply chain partner of AMI. The vulnerabilities discovered by the cybersecurity firm in the AMI BMC are collectively tracked as BMC&C.

The BMC software enables administrators to remotely monitor and control a device, without the need to go through the operating system or applications running on it. It can be used to update firmware, install operating systems, and analyze logs. While these features make BMC very useful, they can also make it a tempting target for threat actors.

The BMC made by AMI is present in millions of devices worldwide as it’s used in the products of major companies such as Ampere, Asrock, Asus, Arm, Dell, Gigabyte, HPE, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.

The new vulnerabilities disclosed by Eclypsium on Thursday are CVE-2023-34329, a critical authentication bypass issue that can be exploited by spoofing HTTP headers, and CVE-2023-34330, a code injection flaw. 

“When both of these vulnerabilities are chained together, even a remote attacker with network access to BMC management interface and no BMC credentials, can achieve remote code execution by tricking BMC into believing that the http request is coming from the internal interface. As a result the attacker can remotely upload and execute arbitrary code, possibly from the Internet, if the interface is exposed to it,” Eclypsium explained. 

Similar to the previously disclosed vulnerabilities, these new flaws can pose a significant risk to organizations. An attacker who has gained access to the targeted server’s BMC can conduct a wide range of activities, and the impact can be significant, particularly in the case of data centers and cloud environments.

In one theoretical scenario described by Eclypsium, an attacker leverages existing BMC functionality to create a continuous shutdown loop on the host and prevent legitimate users from accessing it. These types of attacks are difficult to detect and address, and researchers warn that the method could be used to extort a targeted organization. 

“When this happens to a small number of machines, the impact may be limited in scale, however should the same vulnerabilities be exploited across an entire BMC management segment and affect hundreds or thousands of devices at once, the impact can be catastrophic to operations, and result in indefinite downtime with no ability to recover,” the security firm said.

Access to the BMC also allows an attacker to stealthily access KVM (keyboard/video/mouse) functionality, enabling them not only to closely monitor legitimate users but also conduct activities on their behalf using KVM inputs.

A hacker can also cause physical destruction through power management tampering, by changing CPU voltages and permanently bricking them.

BMC access can also be used for lateral movement, including to other BMCs, network devices, and even to Active Directory.  

While these vulnerabilities could pose a significant risk to millions of systems, Eclypsium is currently not aware of in-the-wild exploitation. Proof-of-concept (PoC) exploits have not been made public, but sophisticated threat actors could find the flaws on their own by looking at the same leaked information that the security firm analyzed. 

Related: CISA, NSA Share Guidance on Hardening Baseboard Management Controllers

Related: BMC Firmware Vulnerabilities Expose OT, IoT Devices to Remote Attacks

https://www.securityweek.com/new-ami-bmc-flaws-allowing-takeover-and-physical-damage-could-impact-millions-of-devices/

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have published new guidance to help organizations harden baseboard management controllers (BMCs).

Typically part of a motherboard, a BMC is a specialized service processor used for monitoring the physical state of a system, server, or other device, collecting information such as temperature, voltage, humidity, and fan speeds.

Operating separately from the operating system and the system’s firmware (such as BIOS and UEFI), a BMC enables remote management and control, even on systems that are shut down (as long as the system is connected to a power outlet).

The BMC firmware, CISA and the NSA point out in the new guidance (PDF), is highly privileged, having access to all resources of the system it resides on. Using BMC management solutions allows organizations to manage multiple systems without physical access.

The firmware BMCs run on is maintained separately and, because many BMCs do not provide integration with user account management solutions, updates and other administrative actions need to be delivered via commands over network connections.

“Many organizations fail to take the minimum action to secure and maintain BMCs. Hardened credentials, firmware updates, and network segmentation options are often overlooked, leading to a vulnerable BMC. A vulnerable BMC broadens the attack vector by providing malicious actors the opportunity to employ tactics such as establishing a beachhead with pre-boot execution potential,” CISA and the NSA note.

Unauthorized access to a BMC could allow attackers to disable the trusted platform module (TPM) or UEFI secure boot or propagate implants across the network without being detected by traditional tools or security features, including endpoint detection and response (EDR) solutions, intrusion detection/prevention systems (IDS/IPS), and TPM attestation.

Organizations are advised to change default BMC credentials and use strong passwords compliant with NIST guidelines, to isolate BMC network connections using a virtual local area network (VLAN), limit the connections to a BMC, harden BMCs against unauthorized access, routinely check for BMC firmware updates, monitor BMC integrity, and move workloads on systems with BMC integrity monitoring mechanisms.

“A user may accidentally connect and expose an ignored and disconnected BMC to malicious content. Treat an unused BMC as if it may one day be activated. Apply patches. Harden credentials. Restrict network access. If a BMC cannot be disabled or removed, carry out recommended actions appropriate to the sensitivity of the platform’s data,” the two agencies note.

Related: US Government Provides Guidance on Software Security Guarantee Requirements

Related: US, Israel Provide Guidance on Securing Remote Access Software

Related: Five Eyes Agencies Issue Cybersecurity Guidance for Smart Cities

https://www.securityweek.com/cisa-nsa-share-guidance-on-hardening-baseboard-management-controllers/

Feb 16, 2023 Marina Londei News, RSS, Vulnerabilità 0

---

Settimana di fuoco per Intel: l’azienda ha rilasciato decine di patch per i suoi prodotti, alcune di esse relative a vulnerabilità con gravità media, grave o critica.

Una delle peggiori individuate dall’azienda è stata la CVE-2021-39296, una vulnerabilità dell’interfaccia netipmid di OpenBMC, una distribuzione Linux presente in diverse piattaforme di Intel. Sfruttando questa falla gli attaccanti sono in grado di fare escalation dei privilegi e compiere attacchi di denial of service. Il problema è stato individuato a fine 2021, ma le patch di sicurezza sono state rese disponibili solo in questi giorni.

La vulnerabilità colpisce tutte le versioni del firmware BMC precedenti a 2.86, 2.09 e 2.78, e le versioni di OpenBMC precedenti a 0.72, wht-1.01-61, egs-0.91-179, che sono presenti in diversi chipset e processori come Xeon W serie 3200, Xeon Scalable di 3° generazione e le serie C620, C250 e C740 dei chipset.

Le stesse versioni dei firmware soffrono anche di altre quattro vulnerabilità minori, che sono state risolte con gli aggiornamenti di sicurezza di questa settimana. Quasi tutte le vulnerabilità individuate permettono a un attaccante di ottenere privilegi di alto livello e acquisire il controllo delle risorse.

Tra i prodotti colpiti dalle vulnerabilità ci sono software centrali come Driver Support Assistant, che si occupa di gestire i prodotti intel e di scaricare diver e software, Battery Life Diagnostic Tool per il monitoraggio dello stato delle batterie nei sistemi e System Usage Report.

Intel consiglia agli utenti e agli amministratori dei sistemi di aggiornare i prodotti vulnerabili il prima possibile, scaricando le patch di sicurezza rilasciate questa settimana. Il consiglio è, come sempre, di mantenere aggiornato il software e fare attenzione a eventuali ulteriori comunicazioni da parte dell’azienda.

---

---

---

https://www.securityinfo.it/2023/02/16/intel-patch-vulnerabilita/?utm_source=rss&utm_medium=rss&utm_campaign=intel-patch-vulnerabilita

In January 2019, a researcher disclosed a devastating vulnerability in one of the most powerful and sensitive devices embedded into modern servers and workstations. With a severity rating of 9.8 out of 10, the vulnerability affected a wide range of baseboard management controllers (BMC) made by multiple manufacturers. These tiny computers soldered into the motherboard of servers allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of computers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system—even when it’s turned off.

Pantsdown, as the researcher dubbed the threat, allowed anyone who already had some access to the server an extraordinary opportunity. Exploiting the arbitrary read/write flaw, the hacker could become a super admin who persistently had the highest level of control for an entire data center.

The industry mobilizes… except for one

Over the next few months, multiple BMC vendors issued patches and advisories that told customers why patching the vulnerability was critical.

Now, researchers from security firm Eclypsium reported a disturbing finding: for reasons that remain unanswered, a widely used BMC from data center solutions provider Quanta Cloud Technology, better known as QCT, remained unpatched against the vulnerability as recently as last month.

As if QCT’s inaction wasn’t enough, the company’s current posture also remains baffling. After Eclypsium privately reported its findings to QCT, the solutions company responded that it had finally fixed the vulnerability. But rather than publish an advisory and make a patch public—as just about every company does when fixing a critical vulnerability—it told Eclypsium it was providing updates privately on a customer-by-customer basis. As this post was about to go live, “CVE-2019-6260,” the industry’s designation to track the vulnerability, didn’t appear on QCT’s website.

In an email, Eclypsium VP of Technology John Loucaides wrote:

Eclypsium is continuing to find that custom servers (eg. Quanta) remain unpatched to vulnerabilities from as far back as 2019. This is affecting a myriad of devices from a large number of cloud providers. The problem isn’t any one vulnerability, it’s the system that keeps cloud servers old and vulnerable. Quanta has only just released the patch for these systems, and they did not provide it for verification. In fact, their response to us was that it would only be made available upon request to support.”

Multiple Quanta representatives didn’t respond to two emails sent over consecutive days requesting confirmation of Eclypsium’s timeline and an explanation of its patching process and policies.

Current, but not patched

A blog post Eclypsium published on Thursday shows the type of attack that’s possible to carry out on QCT BMCs using firmware available on QCT’s update page as of last month, more than three years after Pantsdown came to light.

Eclypsium’s accompanying video shows an attacker gaining access to the BMC after exploiting the vulnerability to modify its web server. The attacker then executes a publicly available tool that uses Pantsdown to read and write to the BMC firmware. The tool allows the attacker to supply the BMC with code that opens a reverse web shell whenever a legitimate administrator refreshes a webpage or connects to the server. The next time the admin tries to take either action, it will fail with a connection error.

Behind the scenes, however, and unbeknownst to the admin, the attacker’s reverse shell opens. From here on, the attacker has full control of the BMC and can do anything with it that a legitimate admin can, including establishing continued access or even permanently bricking the server.

[embedded content]

The power and ease of use of the Pantsdown exploit are by no means new. What is new, contrary to expectations, is that these types of attacks have remained possible on BMCs that were using firmware QCT provided as recently as last month.

QCT’s decision not to publish a patched version of its firmware or even an advisory, coupled with the radio silence with reporters asking legitimate questions, should be a red flag. Data centers or data center customers working with this company’s BMCs should verify their firmware’s integrity or contact QCT’s support team for more information.

Even when BMCs come from other manufacturers, cloud centers, and cloud center customers shouldn’t assume they’re patched against Pantsdown.

“This is a serious problem, and we do not believe it is a unique occurrence,” Loucaides wrote. “We’ve seen currently deployed devices from each OEM that remain vulnerable. Most of those have updates that simply were not installed. Quanta’s systems and their response did set them apart, though.”

https://arstechnica.com/?p=1856683