It has been revealed that the embedded hardware components on Supermicro motherboards have vulnerabilities that could let IBM or other cloud services be implanted with backdoors that allow attackers to steal corporate customer data, install malicious programs or launch DDoS denial of service attacks.
This vulnerability appears on BMC of Supermicro. BMC is a component with high access. It provides a variety of interfaces, including the system interface, the IPMB interface, LAN and Serial/Modem interface, allowing data center administrators to perform remote instruction execution through IPMI intelligent platform management interface, or install the operating system, install and modify the APP or the underlying firmware when the server is not on. It also can change the configuration of multiple servers.
However, interface provided by BMC frequently is used transmit malicious IPMI instructions and even suffers from the exploitation of BMC firmware vulnerabilities by malicious programs as it lacks sufficient verification of IPMI instructions from inside and outside the system. Among all motherboard products, Supermicro is usually found to be affected by a variety of vulnerabilities.
There is one additional risk in the public cloud service environment. The researchers noted that others can affect or invade other customers on the same physical server by attacking firmware vulnerabilities in cloud services.
The combination of buggy hardware and flawed firmware allows an attacker to gain back access to a cloud hosted by a new enterprise client on the same server, steal data or implant any malicious programs.
IBM responded on Monday, saying in a blog post that BMC is a third-party component for server remote management and is part of the IBM Cloud bare machine service product. At present, IBM has not found that this vulnerability has been maliciously exploited. And this vulnerability has been addressed. IBM is about to get the log of all BMC firmware to be deleted forcibly, and reset the password of all BMC firmware.
Published by Emerson L. Sullivan & last updated on March 1, 2019 7:47 am