A five year old vulnerability in a widely used administrative tool for servers used for sensitive and mission-critical computing again causes problems. The vulnerability exists thanks to baseboard management controllers (BMCs), and threatens premium cloud services from IBM and possibly other providers, reports Ars Technica.
BMCs are microcontrollers attached to the motherboard, giving companies exceptional control over servers in data centres. The Intelligent Platform Management Interface allows administrators to reinstall operating systems, install or modify apps, and make configuration changes across a wide range of servers. They do not need to be physically present in the data centres, and in many cases the servers do not need to be switched on.
Researchers warned in 2013 that BMCs pre-installed in servers from Dell, HP and several other manufacturers were so poorly secured that they gave attackers a sleek and good way to take over complete fleets of servers in data centers.
Backdoor
Now researchers from security company Eclypsium have discovered that BMC vulnerabilities pose a risk to a premium cloud service offered by IBM and possibly other providers. The premium service is called bare-metal cloud computing. The option is offered to customers who want to store very sensitive data, but do not want it to be mixed on servers used by other customers.
Customers can therefore buy exclusive access to a server. When they no longer need the server, they return it to the provider. The provider must then clean up the servers so that they can be used safely by the next customer. But according to the study, BMC vulnerabilities can undermine this model by allowing a customer to leave a loophole behind. That back door remains active when a server is re-assigned.
The back door makes the customer vulnerable to various attacks, such as data theft, DoS attacks and ransomware.
IBM
IBM has now issued a statement on the vulnerability and the investigation. “We have no knowledge of any customer or IBM data at risk due to this potential vulnerability, and we have taken action to eliminate the vulnerability,” said the company.
“Given the steps we have taken and the difficulty of exploiting this vulnerability, we believe that the potential impact on customers is low. Although the report focuses on IBM, this was actually a potential vulnerability for all cloud service providers, and we thank Exlypsium for highlighting this.”
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.