Omnipotent BMCs From Quanta Remain Vulnerable To Critical Pantsdown Threat
"Quanta not patching vulnerable baseboard management controllers leaves data centers vulnerable," writes long-time Slashdot reader couchslug. "Pantsdown was disclosed in 2019..." Ars Technica reports: In January 2019, a researcher disclosed a devastating vulnerability in one of the most powerful and sensitive devices embedded into modern servers and workstations. With a severity rating of 9.8 out of 10, the vulnerability affected a wide range of baseboard management controllers (BMC) made by multiple manufacturers. These tiny computers soldered into the motherboard of servers allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of computers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. Pantsdown, as the researcher dubbed the threat, allowed anyone who already had some access to the server an extraordinary opportunity. Exploiting the arbitrary read/write flaw, the hacker could become a super admin who persistently had the highest level of control for an entire data center. Over the next few months, multiple BMC vendors issued patches and advisories that told customers why patching the vulnerability was critical. Now, researchers from security firm Eclypsium reported a disturbing finding: for reasons that remain unanswered, a widely used BMC from data center solutions provider Quanta Cloud Technology, better known as QCT, remained unpatched against the vulnerability as recently as last month. As if QCT's inaction wasn't enough, the company's current posture also remains baffling. After Eclypsium privately reported its findings to QCT, the solutions company responded that it had finally fixed the vulnerability. But rather than publish an advisory and make a patch public -- as just about every company does when fixing a critical vulnerability -- it told Eclypsium it was providing updates privately on a customer-by-customer basis. As this post was about to go live, "CVE-2019-6260," the industry's designation to track the vulnerability, didn't appear on QCT's website. [...] "[T]hese types of attacks have remained possible on BMCs that were using firmware QCT provided as recently as last month," writes Ars' Dan Goodin in closing. "QCT's decision not to publish a patched version of its firmware or even an advisory, coupled with the radio silence with reporters asking legitimate questions, should be a red flag. Data centers or data center customers working with this company's BMCs should verify their firmware's integrity or contact QCT's support team for more information."
Read more of this story at Slashdot.