SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1984
Supermicro hardware weaknesses let researchers backdoor an IBM cloud server
More than five years have passed since researchers warned of the serious security risks that a widely used administrative tool poses to servers used for some of the most sensitive and mission-critical computing. Now, new research shows how baseboard management controllers, as the embedded hardware is called, threaten premium cloud services from IBM and possibly other providers.
“Bloodsucking leech” puts 100,000 servers at risk of potent attacks. In short, BMCs are motherboard-attached microcontrollers that give extraordinary control over servers inside datacenters. Using the Intelligent Platform Management Interface, admins can reinstall operating systems, install or modify apps, and make configuration changes to large numbers of servers, without physically being on premises and, in many cases, without the servers being turned on. In 2013, researchers warned that BMCs that came preinstalled in servers from Dell, HP, and other name-brand manufacturers were so poorly secured that they gave attackers a stealthy and convenient way to take over entire fleets of servers inside datacenters.
Researchers at security firm Eclypsium on Tuesday plan to publish a paper about how BMC vulnerabilities threaten a premium cloud service provided by IBM and possibly other providers. The premium service is known as bare-metal cloud computing, an option offered to customers who want to store especially sensitive data but don't want it to intermingle on the same servers other customers are using. The premium lets customers buy exclusive access to dedicated physical servers for as long as needed and, when the servers are no longer needed, return them to the cloud provider. The provider, in theory, wipes the servers clean so they can be safely used by another bare-metal customer.
Eclypsium's research demonstrates that BMC vulnerabilities can undermine this model by allowing a customer to leave a backdoor that will remain active once the server is reassigned. The backdoor leaves the customer open to a variety of attacks, including data theft, denial of service, and ransomware.
(Score: 5, Interesting) by Hyperturtle on Friday March 01 2019, @01:46PM (2 children)
Makes those claims about supermicro vulnerabilities that Apple and Amazon and so forth all denied that much more plausible.
I guess if you look for chips that aren't there, you can say you didn't find any evidence of hardware tampering. Your brand is protected. But when the chips that are supposed to be there are flawed and the reporter covering the story isn't exactly an internet expert at these sorts of things...
https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond [bloomberg.com]
Whether they are correlated, I couldn't tell you, but it's been known for years that a lot of these chips and add-on boards have enough room and capability on them to do things besides what it says in the manual. Heck, I've even loaded custom firmware and modified the expected roms on hardware to add features that otherwise only are available via purchasing hardware replacements. It shouldn't be a surprise that hardware with advanced features and little user interaction can silently be exploited.
I did several audits for large data centers on the west coast; surrepitously gaining access on the iscsi network via unexpected entry when I rented a rack in shared space and paid for space on the network... having your own bare metal on a network that can be compromised by design because it's cheaper to do it that way... well let's say I earned my paycheck in their view, but it wasn't much more than running a few wizards and saying I told you so.
For the record, setting up a packet sniffer on the network at key points can be so valuable at finding things like this... any unexpected connection can be investigated. If you rent out space in a rack, it may behoove you to ask how they analyze traffic patterns and what can be done about unexpected network converations to-and-from hardware that is otherwise permitted (which is often the case if no one knows about a given vulnerability so that it can be blocked).
(Note that if they used a wireless transponder of some kind to off-load the data, a hardwired packet sniffer may not see all of the traffic--do regular wireless audits as well [expecially where there isn't even supposed to be wireless and so no one is checking because of that], to see where there is a strong signal where it's not expected to be...)
(Score: 0) by Anonymous Coward on Friday March 01 2019, @08:32PM (1 child)
Why? This article is not about Supermicro. It's about a class of computers, including all leading brands. The article says that if you misconfigure a BMC, it ... just imagine! ... may become vulnerable.
The paper's purpose appears to give plausible conclusion to the Supermicro debacle. It started with outlandish claims - someone showed a Minicircuits RF filter and declared that it can exfiltrate information. Failing that, they moved to another accusation - that an Ethernet jack on a Supermicro motherboard was connected to a microprocessor. And now they finalized the story with pointing out that MCU is the BMC, which is legally installed and documented. The story becomes a non-story. That's how ended this politically driven media attack.
(Score: 2) by Hyperturtle on Saturday March 02 2019, @02:28PM
Yes -- it's about a class of computers that they all admit to using, and deny there is an issue with. They probably are telling the truth if they are actually ignorant of the problems. That's why places pay for security audits, so that they find these things out without having to read about them on the news. Everyone that might have this issue would be expected to deny it -- the stock price would fall if they were to say anything else. It's not like they let the public sector or reporters come in to try to prove a falsehood.
You're right though, that focus was on a specific type of machine and functionality.
Lots of machines use this *type* of functionality, and often its depended on for management purposes when rows of racks of pizza box style servers exist for hosting. I have some Lenovo Thinkservers that have "AMT" in it, and even with the servers turned off, I can log in to the bios and change stuff around and even lock myself out and do serious harm if I change the network settings. There are things in the AMT like IP addressing (IPV4 and IPV6) host name, nic duplex/speed settings installed hardware and such -- things that can be changed that CAN'T be changed with physical keyboard access to the BIOS when hitting F1 to get into the BIOS directly. That changes different options... Even if I did not change things, it provides a detailed layout of the hardware installed (disk drives, 3rd party nics, video, ram type, cpu type, etc) and makes it easy to search for other flaws with data that didn't even have to be scanned to retrieve--it can simply be retrieved.
The possibility to do great damage exists, but that is true of nearly all remote admin tools. It boils down to acceptable risk, and what's acceptable in hardware that is not yours and that you cannot fully manage or control or prevent others from doing the same... that you have chosen to use for cost or conveneience purposes. Even when you own, manage, and host it yourself, the convenience of some remote management features can be hard to disable.
It isn't outlandish that an ethernet jeck on a supermicro motherboard connected to a 'microprocessor' can be compromised, considering that's pretty much what I just detailed. I remember at one time, when 10gb nics were full length PCIe boards (you can still find them out there for cheap), they were essentially heat generating computers in a computer.
And those cards and their computers ran a custom OS that essentially managed the traffic flow. The OS drivers just saw it as a NIC. Someone, somewhere, essentially rooted one with a custom rom and allowed for packet sniffing and data capture with the ability to transmit the data from the card to wherever, and the system hosting the card had no concept since it never saw what actually left the card. It required a robust network security model to detect the traffic, since you know, lots of hardware phones home, manufacturers aren't usually very transparent about what their drivers are sending as telemetry, and few companies seek to audit unknown traffic on things like web facing blade servers in a shared topology using a 10gb nic that is split up virtually among dozens or more hosts that have legit traffic from all over the world. Any mistakes in filtering can ruin a customer's day, and a lot of the time... no one wants to be responsible for any mistakes, and companies actually quiz their hosted clients as to the nature of their traffic.
Most of that is learned, if it is even learned, over time, so a lot of data collection and transmission could take place in shared topologies like that. White listing a mac address on the card to prevent it talking to neighbors on a shared network segment doesn't do anything to prevent the card from collecting the data on all the traffic its permitted to transmit to begin with.