A new report from the hardware security firm Eclypsium has revealed that hackers can corrupt the firmware of bare-metal cloud servers so that they can regain access to the servers after they’ve been released and reassigned to other customers.
A bare-metal server is a physical server that is rented to one customer at a time and many companies in the cloud services industry offer these servers to their customers because of their flexibility and security benefits. Once a customer is finished with the server, it is released back to the cloud company and the provider wipes the server of any customer data so that it can make it available to others.
However, in its latest experiment, Eclypsium discovered that cloud service providers are not doing enough when it comes to properly wiping base-metal servers.
The team was successfully able to make modifications to a server’s baseboard management controller (BMC) firmware which a potential attacker could use to access a server after it was wiped and reassigned to another customer.
Last year, researchers from Eclypsium discovered vulnerabilities in the BMC firmware of Super Micro motherboards and they used this knowledge to exploit IBM’s SoftLayer cloud service which uses Super Micro hardware.
The company explained why it chose IBM SoftLayer for its experiment, saying:
“We originally chose SoftLayer for our testing environment because of its simplified logistics and access to hardware but noticed SoftLayer was using SuperMicro server hardware that based on our previous research we knew were vulnerable. It should be noted that SoftLayer uses other hardware vendors in addition to SuperMicro, and SuperMicro devices are used by many other service providers.”
Eclypsium called its successful test Cloudborne and the company’s research team was able to update a rented bare-metal server’s BMC firmware with one they had prepared in advance which contained just one single bit flip so that they could recognize it at a later point. However, an attacker could add malicious code to the BMC firmware opening a server up to backdoor accounts.
IBM responded to Eclypsium’s research in a blog post in which it detailed how it had reconfigured its cloud service to reflash all BMC firmware to factory settings and erase all logs and generate new passwords for each client.