• Follow us

Internet

Bare-Metal Cloud Firmware Security Fail Isn’t Limited to IBM – by Far

Tools used to manage bare-metal cloud environments can be used to attack data centers and are often overlooked, experts say, with IBM being one recent victim.

Security vendor Eclypsium reported last week that the Cloudborne vulnerability could be used by attackers to change a rented bare-metal server’s firmware to allow them to attack whoever uses the machine next.

One of the cloud providers that used the vulnerable baseboard management controller firmware by Supermicro was IBM Cloud, which wasn't careful about wiping the firmware between customers, John Loucaides, VP of engineering at Eclypsium, told Data Center Knowledge. But the problem could happen with any cloud provider, he added.

"This is really a broader industry concern about the firmware layer being effectively ignored by almost everybody.” If IBM can miss this, anyone else can, too. "IBM missed this – and missed this for quite a while. And there are a lot of smaller providers out there that don't have the resources that IBM has."

To protect their infrastructure, Loucaides said, data center managers should ensure their equipment hasn't been tampered with and that all patches are properly applied. Then, clean servers carefully after use by every customer. "Normally, in the reclamation process, you'd wipe the machine from the operating system level," he said. "Think about doing that from the firmware level as well."

Data centers should also make sure basement management controller passwords and logs are cleared. "You don't want them to be seeing the logs of whatever the previous person was doing."

While this vulnerability was in the baseboard management controller, Eclypsium has discovered other, similar vulnerabilities in other firmware.

What Should Cloud Users Do?

There are steps users of services like IBM Cloud can take to protect themselves.

For example, they can check their firmware version and see if there are known vulnerabilities, Loucaides recommended, or even install the firmware themselves and then doublecheck that the installation has gone through and wasn’t blocked by any malware.

Of course, if there's malware in the firmware, it can lie about its version number and about success of a new installation. "It's not that they can't do that, but it's harder," he said.

IBM Says No Known Client Impact

Eclypsium notified IBM about the problem in September. IBM announced last week – some six months later – that it is now erasing all BMC firmware logs, regenerating passwords, and reflashing the firmware between customers, calling this a "low-severity" vulnerability.

"We are not aware of any client or IBM data being put at risk because of this reported potential vulnerability, and we have taken actions to eliminate the vulnerability," Faye Abloeser, director of communications for IBM Cloud, told us. "Given the remediation steps we have taken and the level of difficulty required to exploit this vulnerability, we believe the potential impact to clients is low."

One of Several Warnings

Eclypsium isn't the only security vendor to point out firmware security problems, including those in baseboard management controllers.

“Our team uncovered BMC vulnerabilities earlier this year and reported that they could easily be exploited for malicious purposes," Nicolas Waisman, VP of security consulting at Cyxtera Technologies, told us.

Once a server was compromised, if there was a network connection, attackers could get to it. Waisman suggested that data center managers could add another layer of protection by isolating systems at the network level. "In our research, we were able to mitigate the risk of inbound calls to the BMC and lateral movement using a software-defined perimeter solution," he said.

The underlying problem is that data center security is focused more on the operating system level and on applications security. "They're ignoring the hardware," Chris Rouland, co-founder and CEO at Phosphorus Cybersecurity, an Atlanta-based vendor specializing in securing firmware, said.

But with the management features available in motherboards today, it's like having a whole other computer sitting underneath the operating system level. "And if that computer is not up to date, all the investment you've made in securing the OS goes out the window," he said.

Read More



Leave A Comment

More News

ITProPortal

Ryuk ransomware "still going strong" 2019-02-20 11:00:19Multiple groups still using Ryuk to extort money from companies.

Keep your business centre operations running 24/7 with 2019-02-20 08:00:40Reboot to restore solutions help IT admins take a preventive approach to computer management at business centres, thus enhancing the availability and

Microsoft uncovers major hacking attempts against EU organisations 2019-02-20 07:30:44Firms across Europe were hit in the attacks.

Qualcomm unveils most powerful 5G modem 2019-02-20 07:00:06Second-generation X55 modem will hopefully power the first 5G smartphones.

12 billion devices will be internet-connected by 2022 2019-02-20 06:30:28Up to four billion IoT devices will be online soon, Cisco estimates.

UK companies still worried about cyber risks 2019-02-20 06:00:38They fear 5G, but they're willing to invest.

Don’t let the tech takeover: Time rich, mindfulness 2019-02-20 06:00:22With today’s data-driven on-demand economy, we are winning back some of that precious time. But are we getting the most out of it?

The technology trust gap that’s hurting sales efforts 2019-02-20 05:30:02Here are my five key steps to get salespeople onboard with technology projects:

Why hackers love mainframe passwords – and what 2019-02-20 05:00:37Why are IBM’s mainframe customers seemingly reluctant to upgrade their security by incorporating multi-factor authentication?

Reflecting on data privacy for 2019 – Why 2019-02-20 04:30:11Below, six industry experts give their take on why data security needs to be at the heart of operations, and their opinions on what can be done to ens

Shipping on the cusp of a digital wave 2019-02-20 04:00:42Despite its significance, the industry still remains largely untouched by digital transformation and efficiencies it can bring.

Microsoft Surface Go review 2019-02-19 12:19:33An ideal pocket-sized budget work companion, but don't expect anything earth-shattering.

Dev Pro

Pen Testing Takes Center Stage at RSA 2019-03-07 01:21:00Virtual pen testing can enable automated data feeds and model execution from real-time assessment inputs; simulate loss scenarios associated with atta

FireEye, Agari Offer Advanced Email Protection 2019-03-07 00:20:00The rise of attacks against email concern many organizations, and vendors are on the case. There were several announcements of products attempting to

Amazon Gives AI to Harvard Hospital in Tech's 2019-03-06 20:45:00Amazon Web Services is working with a Harvard-affiliated teaching hospital in Boston to test how AI can simplify medical care.

Multiple Biometric Products Introduced at RSA 2019-03-06 20:39:00Unisys debuted a tool that associates a user's network rights with their verifiable biometrics, and Feitian wants user fingerprints for for authentic

Zuckerberg Says Facebook to Focus on Private Communication 2019-03-06 20:34:00The changes would involve making it possible to send messages between the different properties Facebook owns, including WhatsApp and Instagram, which

Samsung Is Said to Be Preparing More Foldable 2019-03-06 19:42:00Samsung Electronics Co. is working on a pair of new foldable smartphones to follow its Galaxy Fold.

Can Alphabet Become the Next Big Cybersecurity Vendor? 2019-03-06 17:00:00Backstory, a nascent Alphabet cybersecurity unit’s first product, aims to protect enterprise infrastructure on-prem and in the cloud.

How to Compare the Cost of HCI Systems 2019-03-06 04:24:00Find out why traditional storage metrics aren’t adequate when it comes to evaluating HCI systems and how to assess costs.

LogRhythm Tackles Network-Borne Threats Via Automation 2019-03-06 00:21:00LogRhythm, a company focused on security intelligence, has introduced a new product that reduces the humans required to discover and respond to advanc

New Approach to Perimeter Security Will Better Protect 2019-03-05 18:51:00Unlike other firewall solutions which focus on protection outside the network perimeter, the VMware Service-Defined Firewall flips the model on its he

Bare-Metal Cloud Firmware Security Fail Isn’t Limited to 2019-03-05 13:05:00"This is really a broader industry concern about the firmware layer being effectively ignored by almost everybody.”

Ubuntu Long Term Support Announcement Begs Security Questions 2019-03-04 19:51:00Canonical's announcement that Ubuntu long term support will span a decade must be considered in the context of hardware, the cloud and CI/CD.

TechRadar: Internet news

The Samsung Galaxy Fold just changed the future 2019-02-20 20:04:54The Fold is too expensive, weird and thick for the mainstream… but this is just the beginning.

Best security camera: keep an eye on your 2019-02-20 19:53:36We've collected together all of the best smart security cameras for keeping your house safe when you're not around.

YouTube TV: Everything you need to know about 2019-02-20 19:42:38Watch out cable, YouTube TV is here to liberate the contract-bound masses. Here's everything you need to know.

Best running headphones 2019: our top 10 choices 2019-02-20 19:17:39From tarmac to trail, the best running headphones will keep your tunes going right up to the finish line.

Best Samsung Galaxy S10e pre-order plans and prices 2019-02-20 19:14:50Samsung's Galaxy S10e is supposedly its more affordable offering, but you can save even more with these plans

Best Samsung Galaxy S10 Plus pre-order plans and 2019-02-20 18:50:12The larger of Samsung's Galaxy S10 phones obviously costs the most, so here's how you can nab it for less.

Samsung's new Galaxy Fit and Fit E are 2019-02-20 18:47:15If you're going to release a fitness tracker these days, you need something exciting... but only the price might attract you.

Best Samsung Galaxy S10 pre-order plans and prices 2019-02-20 18:36:04Samsung's latest flagship will no doubt be its best to date, and here's how you can ensure you get your hands on it.

Remote code execution vulnerability discovered in WordPress 2019-02-20 18:31:48Researchers have discovered a critical flaw that could allow hackers to gain complete control over a user's WordPress blog.

Samsung Galaxy S10 Plus vs Samsung Galaxy Note 2019-02-20 18:20:13The Galaxy S10 Plus has a screen the same size as the Galaxy Note 9, but what else is similar?

Best Samsung Galaxy S10 outright prices in Australia: 2019-02-20 18:14:28Samsung's next flagship series, the Galaxy S10, has been revealed – here's how you can secure your pre-order.

Here's everything that launched at Samsung Unpacked 2019 2019-02-20 17:25:39Samsung just announced a huge number of new devices, so we've rounded up the info you need on them all right here.

Enterprise – TechCrunch

Clari platform aims to unify go-to-market operations data 2019-03-06 09:00:29Clari started as a company that wanted to give sales teams more information about their sales process than could be found in the CRM database. Today,

Matterport raises $48M to ramp up its 3D 2019-03-05 12:05:55The growth of augmented and virtual reality applications and hardware is ushering in a new age of digital media and imaging technologies, and startups

SurveyMonkey acquires web survey company Usabilla for $80M 2019-03-05 09:00:09SurveyMonkey announced today that it has acquired Usabilla, an Amsterdam-based website and app survey company, for $80 million in cash and stock. Zand

Salesforce releases myTrailhead, a customizable training platform 2019-03-05 08:00:10Salesforce has been using the notion of trailblazers as a learning metaphor for several years, ever since it created Trailhead, a platform to teach cu

Can predictive analytics be made safe for humans? 2019-03-04 13:44:40Massive-scale predictive analytics is a relatively new phenomenon, one that challenges both decades of law as well as consumer thinking about privacy.

Scytale grabs $5M Series A for application-to-application identity 2019-03-04 10:33:34Scytale, a startup that wants to bring identity and access management to application-to-application activities, announced a $5 million Series A round

Rackspace announces it has laid off 200 workers 2019-03-01 16:42:03Rackspace, the hosted private cloud vendor, let go around 200 workers or 3 percent of its worldwide workforce of 6,600 employees this week. The compan

Open-source communities fight over telco market 2019-02-27 18:36:02When you think of MWC Barcelona, chances are you’re thinking about the newest smartphones and other mobile gadgets, but that’s only half t

Box fourth quarter revenue up 20 percent, but 2019-02-27 17:09:52By most common sense measurements, Box had a pretty good earnings report today, reporting revenue up 20 percent year over year to $163.7 million. That

Compass acquires Contactually, a CRM provider to the 2019-02-27 13:01:44Compass, the real estate tech platform that is now worth $4.4 billion, has made an acquisition to give its agents a boost when it comes to looking for

Threads emerges from stealth with $10.5M from Sequoia 2019-02-27 09:05:43The rapid rise of Slack has ushered in a new wave of apps, all aiming to solve one challenge: creating a user-friendly platform where coworkers can ha

New VMware Kubernetes product comes courtesy of Heptio 2019-02-26 11:00:17VMware announced a new Kubernetes product today called VMware Essential PKS, which has been created from its acquisition of Heptio for $550 million at


Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.