Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Cloud

Omnipotent BMCs From Quanta Remain Vulnerable To Critical Pantsdown Threat (arstechnica.com) 14

"Quanta not patching vulnerable baseboard management controllers leaves data centers vulnerable," writes long-time Slashdot reader couchslug. "Pantsdown was disclosed in 2019..." Ars Technica reports: In January 2019, a researcher disclosed a devastating vulnerability in one of the most powerful and sensitive devices embedded into modern servers and workstations. With a severity rating of 9.8 out of 10, the vulnerability affected a wide range of baseboard management controllers (BMC) made by multiple manufacturers. These tiny computers soldered into the motherboard of servers allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of computers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. Pantsdown, as the researcher dubbed the threat, allowed anyone who already had some access to the server an extraordinary opportunity. Exploiting the arbitrary read/write flaw, the hacker could become a super admin who persistently had the highest level of control for an entire data center.

Over the next few months, multiple BMC vendors issued patches and advisories that told customers why patching the vulnerability was critical. Now, researchers from security firm Eclypsium reported a disturbing finding: for reasons that remain unanswered, a widely used BMC from data center solutions provider Quanta Cloud Technology, better known as QCT, remained unpatched against the vulnerability as recently as last month. As if QCT's inaction wasn't enough, the company's current posture also remains baffling. After Eclypsium privately reported its findings to QCT, the solutions company responded that it had finally fixed the vulnerability. But rather than publish an advisory and make a patch public -- as just about every company does when fixing a critical vulnerability -- it told Eclypsium it was providing updates privately on a customer-by-customer basis. As this post was about to go live, "CVE-2019-6260," the industry's designation to track the vulnerability, didn't appear on QCT's website. [...]
"[T]hese types of attacks have remained possible on BMCs that were using firmware QCT provided as recently as last month," writes Ars' Dan Goodin in closing. "QCT's decision not to publish a patched version of its firmware or even an advisory, coupled with the radio silence with reporters asking legitimate questions, should be a red flag. Data centers or data center customers working with this company's BMCs should verify their firmware's integrity or contact QCT's support team for more information."
This discussion has been archived. No new comments can be posted.

Omnipotent BMCs From Quanta Remain Vulnerable To Critical Pantsdown Threat

Comments Filter:
  • Omnipotent ... yet vulnerable. Okay?
  • Let's face it, you have to be a pretty bad IT department to (1) put your management plane on the public internet, and (2) not drop a few ACLs on it.

    The bug is severe, if you can exploit it. However, if the IT department is that bad there are going to be other vulnerabilities that are more relevant.

    • Or be pantsdrunk [theguardian.com] to get pwned by pantsdown. Kippis!
    • by jabuzz ( 182671 )

      This a 1000 times. If an unknown third party has access to your management network then it is likely game over anyway. Though mostly because the devices sitting on them don't get updates. We still have production servers for which I have to jump through lots of hoops to use the lights out management because modern browsers and modern Java won't touch and they have not been updated in years. Even if there where a stream of updates for them all, I still wouldn't let the plebs anywhere near them.

      If you don't h

    • by Shimbo ( 100005 )

      Let's face it, you have to be a pretty bad IT department to (1) put your management plane on the public internet, and (2) not drop a few ACLs on it.

      That would not prevent this attack, which is about an unprivileged local user leveraging the BMC to take over the machine, rather than just the usually general security suckage of management processors.

  • Here's an article describing what a BMC is;

    https://www.servethehome.com/e... [servethehome.com]

    They "are used in servers to perform the tasks that an administrator would otherwise need to physically visit the racked server to accomplish".

  • (Yes - I know this is Slashdot but) but the demo video is worth watching. A key point about this is the they assume the attacker already has root access to the server.

    So I think we are beyond something as simple as segregating the management plane form the Internet, more along the line that someone else already owns your servers.

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984

Working...