Cloudborne vulnerability affecting baseboard management controllers exposes cloud servers to potential hacking

Baseboard management controllers give administrators remarkable control over servers inside data centres

Researchers have discovered a new security vulnerability, dubbed Cloudborne, which could enable attackers to exploit a component of server motherboards to compromise organisations' data stored in the cloud.

Oregon-based security start-up Eclypsium recently examined Cloudborne in detail and found that it affects the baseboard management controllers (BMCs) which are commonly supplied with servers motherboards, including those used by cloud service providers at their data centres.

BMCs are the motherboard-attached chips that give administrators control over servers inside data centres. Using BMCs, administrators can do changes on a server even if it is not turned on, or even if an administrator is not present physically on premises.

With BMCs, it becomes possible to modify a server's firmware, make configuration changes, install apps, or even reinstall operating systems.

In 2013, researchers warned for the first time that preinstalled BMCs in servers from HP, Dell, and other manufacturers were poorly secured, and could offer hackers an easy way to seize servers inside data centres.

Researchers also found several weaknesses in products from Super Micro Computer Inc., one of the largest suppliers of server motherboards to cloud service providers.

According to Eclypsium, its research team was able to remotely implant vulnerabilities into an IBM Cloud server, which was leased by the research team as "bare metal". The team says it was able to regain access to the server after it was released back into IBM's hardware pool.

According to the researchers, attackers can exploit Cloudborne if a cloud service provider fails to fully reset a machine's firmware before reallocating it to a new client. In other words, the vulnerability could enable attackers to infect a bare-metal server with malware or to create a backdoor to steal the data of next client that rents the machine.

"The combination of using vulnerable hardware and not re-flashing the firmware makes it possible to implant malicious code into the server's BMC firmware and inflict damage or steal data from IBM clients that use that server in the future," Eclypsium's researchers wrote in their research paper.

IBM released a security advisory stating that it has taken necessary steps to fix the issue. These steps included forcing all BMCs to be reflashed with factory firmware before they are reassigned to new clients. The company will also ensure that "all logs in the BMC firmware are erased and all passwords to the BMC firmware are regenerated."

However, the researchers, however, warn that the issue is not limited to any one service provider.

They also suspect that the vulnerability might also affect regular, virtual cloud instances, although such machines are somewhat resistant to BMC-based attacks.