Bare-metal cloud servers vulnerable to Cloudborne flaw

Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks.

Bare-metal cloud servers vulnerable to Cloudborne flaw
Getty Images

Firmware protection firm Eclypsium reported that hackers can use firmware backdoor implants on bare-metal cloud servers to gain persistence even after the next customer rents the bare-metal server from a cloud provider. That persistence, gained by exploiting the vulnerability dubbed Cloudborne, could allow attackers to brick the server, steal data, or launch ransomware attacks.

Eclypsium tested its theory on IBM’s SoftLayer cloud services, as SoftLayer in some cases uses vulnerable SuperMicro server hardware. The researchers modified the server’s baseboard management controller (BMC) firmware, waited until it was rented out by a different customer, and then reacquired the same device later. The team determined the firmware had not been reflashed even though the server had been wiped. Additionally, the firm determined the BMC root password remained the same and the BMC logs were still there.

Eclypsium disclosed the Cloudborne vulnerability to IBM in September 2018 and notified CERT in January. While the firm claims IBM never indicated it had made changes, IBM’s vulnerability advisory released Monday stated that it forced “all BMCs, including those that are already reporting up-to-date firmware, to be reflashed with factory firmware before they are re-provisioned to other customers. All logs in the BMC firmware are erased and all passwords to the BMC firmware are regenerated.”

There has been no indication, according to IBM, that the vulnerability had been maliciously exploited.

Other cybersecurity news

Cloudflare released transparency report, added new warrant canaries

While our heads are in the clouds, it might be a good time to mention that Cloudflare released its transparency report (pdf) for the second half of 2018 and added three new warrant canaries. The new warrant canaries state:

  1. Cloudflare has never modified customer content at the request of law enforcement or another third party.
  2. Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.
  3. Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.

If, in the future, any of those warrant canaries are removed from the list, it will signify that law enforcement or a third party asked Cloudflare not to publicly disclose that it acted against one of the canaries.

In addition, Cloudflare changed the wording from one of the 2013 original warrant canaries, which stated, “Cloudflare has never turned over our SSL keys or our customers SSL keys to anyone,” to now state, “Cloudflare has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone.”

TurboTax parent company denies data breach

Intuit, the parent company of TurboTax, claimed it did not suffer a data breach, as was previously reported. The initial report of TurboTax being hit with a credential-stuffing attack referenced a letter (pdf) sent to the Vermont Attorney General, but Intuit said the letter was “a notification to a state that a customer’s account experienced unauthorized access by a third party using legitimated log-in credentials that Intuit believes were obtained from sources outside the company.”

While there was “NO data breach,” it is a potent reminder not to reuse passwords, as attackers are all too happy to use usernames and passwords collected from the plethora of other breaches to gain access to other sites that might hold sensitive information such as tax forms would: Social Security numbers, driver’s license numbers, financial information, addresses, birth dates, and more.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!