'Pantsdown' BMC vulnerability still present in Quanta servers

Eclypsium found that a critical security flaw first disclosed in 2019 remains exposed in many internet-facing servers, leaving networks at risk for remote code execution attacks.

A critical security flaw first disclosed in 2019 was found to be present on a number of data center and cloud servers.

Researchers with security provider Eclypsium found that data center hardware manufacturer Quanta Cloud Technology (QCT) was shipping rack-mounted servers with firmware vulnerable to CVE-2019-6260. Known for branding purposes as "Pantsdown," CVE-2019-6260 is a vulnerability in a component of the Aspeed baseboard management controller (BMC) hardware that many servers use for remote management.

QCT servers are generally used by data centers and cloud providers. The hardware vendor addressed the flaw with new firmware, though Eclypsium noted that the firmware update has not been publicly released and instead was made available privately to customers. As a result, it is unclear whether any internet-facing servers remain vulnerable as the company has not provided public information on the patching efforts.

In 2019, researchers with IBM discovered that BMC firmware was vulnerable to remote code injection by way of unprotected memory access. In practice, an attacker who had temporarily obtained administrator access could give themselves persistence on a server by injecting code onto hardware that runs on a level below the operating system.

The BMC vulnerability was given a CVSS score of 9.8, given its severity and susceptibility to remote access.

"This vulnerability can provide an attacker with full control over the server including the ability to propagate ransomware, stealthily steal data, or disable the BMC or the server itself," Eclypsium said in a blog post Thursday.

"Additionally, by gaining code execution in the BMC," the blog post continued, "attackers could steal the BMC credentials, which could allow the attack to spread to other servers in the same IPMI [Intelligent Platform Management Interface] group. This highlights how a single bug can potentially allow attackers to target many devices in the same network as seen in the recent attacks on ViaSat."

When the BMC vulnerability was disclosed, experts speculated that patching the flaw could prove difficult due to the nature of open source packages that run at the firmware level.

In addition to the Linux Foundation's OpenBMC package, the Pantsdown flaw was found to be present in BMC hardware provided by Supermicro and AMI. This meant that companies that were using the vulnerable hardware were at the mercy of their supply chain providers to obtain the fix.

This seems to be the case with QCT -- the server vendor's rack-mount servers were found to be using a version of AMI-based BMC software that was still vulnerable to the bug. QCT could not be reached for comment on the matter.

While the presence of a three-year-old flaw in a server vendor is disturbing on its own, the bigger issue to Eclypsium is the fact that major security flaws can linger for years when they fall into the blind spot that exists in shared libraries and upstream components that cannot be accessed by the administrators running the actual machines.

The Eclypsium team told SearchSecurity that QCT is probably not alone in leaving this BMC vulnerability and other flaws exposed to attackers.

"Not only is it likely to be shared by other server manufacturers," Eclypsium said in an email to SearchSecurity, "but because BMC-focused exploits are becoming more mainstream (see iLOBleed in January), the likelihood of a vulnerability being immediately exploited in this way is higher than it has ever been."

Dig Deeper on Threats and vulnerabilities