The paranoiacs of the security world have long pointed out that a computer that falls into the hands of a stranger should not be trustworthy again. Researchers at a company have now shown that in some cases, this maxim is just as applicable to a class of machine that never touches your hands: Cloud Server.
On Tuesday, researchers from security company Eclypsium released the results of an experiment demonstrating that they could perform a treacherous trick on a particular class of cloud computing servers: they can rent a server from a cloud computing provider – They focused on IBM testing – and changed their firmware Hiding changes to their code is preserved, even if they are no longer rented and another customer rents the same machine. While they made only harmless changes to the firmware of the IBM servers in the demonstration, they warn that with the same technology malware can be planted in the hidden code of the server, which is not recognized even if another user takes over the computer What it allows the hacker to spy on the server, change the data or destroy it at will.
"When organizations use public cloud infrastructures, they essentially borrow devices they buy from eBay, for example, and they can get infected before infecting them," says Yuriy Bulygin, founder of Eclypsium and former leader Intel's Advanced Threat Research Team. "Similarly, these devices can become infected if the cloud service provider has not disinfected all the lowest-level devices, including the firmware."
This cloud disinfection issue was clearly emphasized by the researchers at Eclypsium, not all cloud servers. A typical cloud computing setup generates each customer's computer as a so-called "virtual machine," a kind of sealed aquarium within the computer that is separate from the server's actual hardware and other customer's virtual machines in the same box. But everyone, from Amazon to Oracle to Rackspace, also offers so-called bare-metal servers, where a customer rents and fully controls a computer to improve performance or, ironically, security. IBM has thousands of enterprise customers using bare metal machines for everything, from video conferencing to mobile payments to neurological stimulation treatments.
Renting a machine in a bare-metal environment can give an attacker far more dangerous access to components that can transfer malware to the next tenant of that server. "The problem is definitely worse and much easier to exploit for bare-metal services," says Bulygin.
Hackers have proven for years both in research and in the real world that the firmware lies in little-noticed chips that control everything via USB Hard drives on hard drives can provide a hidden hold on malicious code. These infections can stay out of the way of all anti-virus programs and even survive the complete erasure of computer memory.
In their experiments, Eclypsium researchers focused on the firmware of a high-performance component in the Super Micro servers that IBM offers its bare-metal customer cloud computing service, known as the baseboard management controller. The BMC is used to remotely monitor and manage the server, and can do everything from accessing the computer's memory to changing the operating system. In earlier research, Eclypsium has even shown that a damaged BMC can be used to rewrite the firmware of other components to crumple computers, or paralyze them for a possible ransomware attack.
It's really not possible to know if it's still infected or can recover from it. "
Karsten Nohl, Security Research Labs
In their experiments, Eclypsium researchers rented an IBM bare-metal cloud server and then made a harmless change to the BMC's firmware by just changing one bit in the code Then, they would no longer be hiring the server and releasing them back into the IBM pool of available machines for other customers, and a few hours later they would hire enough servers to find the same machine and identify them by their motherboard's serial number and other unique identifiers. They found that despite the fact that they were supposedly given a "fresh" machine, the BMC firmware change was preserved.
"The infection of the firmware is persistent, it will not be remapped if you use the entire Re-mapping the software stack, "says Bulygin, and although the researchers have just made a harmless change, they say it's easy enough, really hide malicious firmware with the same trick.
"No way to know"
In response to the investigation by Eclypsium, IBM released a statement in which the game was played. The vulnerability is termed "low severity," but promises that the BMC firmware of its servers between different customer applications is carefully deleted: "IBM has responded to this vulnerability by enforcing all BMCs, including those that already report the latest firmware." To flash the factory firmware before re-deploying it to other customers "All the logs in the BMC firmware are deleted and all BMC firmware passwords are regenerated."
Starting Monday night, the Eclypsium researchers said they could still use their catch and release trick, suggesting that the fix from IBM was not yet in place, a spokesman for I However, BM said WIRED, a "fix has been implemented and we're working the backlog".
Other firmware-focused researchers, however, are skeptical of IBM's two low-severity labels regarding the vulnerability and the alleged correction. Karsten Nohl, who developed the so-called BadUSB attack, which invisibly modifies the firmware of USB sticks, points out that the BMC firmware could be changed to give hackers control and "lie" to administrators when they try To re-flash it update mechanism that has been updated without removing the code of the hacker. "Once the firmware is infected, there's no way to know if it's still infected or recovering," says Nohl. Another known firmware hacker, H.D. Moore argues that only adding a hardware device to verify the integrity of the firmware would completely solve the problem.
For its part, IBM has not responded to a question from WIRED on the difficulty of relying on firmware updates. And since Eclypsium only tested IBM's bare metal offerings, it's not clear if the same firmware issue applies to other companies.
The good news is that the bare metal servers are just a small minority of cloud setups. and that virtualized servers could attack much more difficult with the firmware trick. But that's no comfort for anyone using these vulnerable setups. "It's a niche, but niche or not, it does not matter," says Nohl. "Even for a niche, this is a very relevant attack and there is no easy way to prevent it."
More Great WIRED Stories