Omnipotent BMCs From Quanta Remain Vulnerable To Critical Pantsdown Threat

"Quanta not patching vulnerable baseboard management controllers leaves data centers vulnerable," writes long-time Slashdot reader couchslug. "Pantsdown was disclosed in 2019..." Ars Technica reports: In January 2019, a researcher disclosed a devastating vulnerability in one of the most powerful and sensitive devices embedded into modern servers and workstations. With a severity rating of 9.8 out of 10, the vulnerability affected a wide range of baseboard management controllers (BMC) made by multiple manufacturers. These tiny computers soldered into the motherboard of servers allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of computers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. Pantsdown, as the researcher dubbed the threat, allowed anyone who already had some access to the server an extraordinary opportunity. Exploiting the arbitrary read/write flaw, the hacker could become a super admin who persistently had the highest level of control for an entire data center.

Over the next few months, multiple BMC vendors issued patches and advisories that told customers why patching the vulnerability was critical. Now, researchers from security firm Eclypsium reported a disturbing finding: for reasons that remain unanswered, a widely used BMC from data center solutions provider Quanta Cloud Technology, better known as QCT, remained unpatched against the vulnerability as recently as last month. As if QCT's inaction wasn't enough, the company's current posture also remains baffling. After Eclypsium privately reported its findings to QCT, the solutions company responded that it had finally fixed the vulnerability. But rather than publish an advisory and make a patch public -- as just about every company does when fixing a critical vulnerability -- it told Eclypsium it was providing updates privately on a customer-by-customer basis. As this post was about to go live, "CVE-2019-6260," the industry's designation to track the vulnerability, didn't appear on QCT's website. [...] "[T]hese types of attacks have remained possible on BMCs that were using firmware QCT provided as recently as last month," writes Ars' Dan Goodin in closing. "QCT's decision not to publish a patched version of its firmware or even an advisory, coupled with the radio silence with reporters asking legitimate questions, should be a red flag. Data centers or data center customers working with this company's BMCs should verify their firmware's integrity or contact QCT's support team for more information."

Contradiction

[Baby Duck]

Omnipotent ... yet vulnerable. Okay?

Re:

[drinkypoo]

BMCs are basically just tiny PCs with access to your BIOS (or whatever it is) and the ability to provide a remote console. And through IPMI (the usual BMC standard) virtual media, you can feed the system a disk image and boot from it. So it can do anything you can do with access to the machine's exterior, except plug in a peripheral. But it's just a PC and therefore it's still vulnerable to attack itself [slashdot.org], especially if updates don't come in a timely fashion, or at all.

Re: Contradiction

[Malays2 bowman]

I've always wanted to pull the pants down on that Yahweh bastard.

Not really important unless you're really bad

[mveloso]

Let's face it, you have to be a pretty bad IT department to (1) put your management plane on the public internet, and (2) not drop a few ACLs on it.

The bug is severe, if you can exploit it. However, if the IT department is that bad there are going to be other vulnerabilities that are more relevant.

Re:

[arglebargle_xiv]

Or be pantsdrunk [theguardian.com] to get pwned by pantsdown. Kippis!

Re:

[jabuzz]

This a 1000 times. If an unknown third party has access to your management network then it is likely game over anyway. Though mostly because the devices sitting on them don't get updates. We still have production servers for which I have to jump through lots of hoops to use the lights out management because modern browsers and modern Java won't touch and they have not been updated in years. Even if there where a stream of updates for them all, I still wouldn't let the plebs anywhere near them.

If you don't h

Re:

[Shimbo]

Let's face it, you have to be a pretty bad IT department to (1) put your management plane on the public internet, and (2) not drop a few ACLs on it.

That would not prevent this attack, which is about an unprivileged local user leveraging the BMC to take over the machine, rather than just the usually general security suckage of management processors.

Re:

[HotNeedleOfInquiry]

Wished I could mod you up. Horrible writing.

for those who are curious

[Klaxton]

Here's an article describing what a BMC is;

https://www.servethehome.com/e... [servethehome.com]

They "are used in servers to perform the tasks that an administrator would otherwise need to physically visit the racked server to accomplish".

Exploit demo assumes attacker has root access

[slincolne]

(Yes - I know this is Slashdot but) but the demo video is worth watching. A key point about this is the they assume the attacker already has root access to the server.

So I think we are beyond something as simple as segregating the management plane form the Internet, more along the line that someone else already owns your servers.