Two years ago, ransomware hackers breached hardware manufacturer Gigabyte and lost more than 112 gigabytes of data that included information from its most important partners, including Intel and AMD. Now researchers are warning that the leaked data has revealed what could be a zero-day vulnerability that could put the world at risk.
The vulnerability resides within the firmware that Duluth, Georgia-based AMI manufactures for BMCs (controller boards). These small computers sold in server boxes allow cloud storage facilities, and sometimes their customers, to manage the remote management of large numbers of computers. It enables administrators to remotely reinstall OSes, install and uninstall software, and control almost any other aspect of the system – even when it’s turned off. BMCs provide what is known as “lights-out” system management.
Researchers from security firm Eclypsium analyzed the AMI firmware that was leaked in the 2021 ransomware attack and recognizing weaknesses that have been around for years. They can be used by any local or remote attacker with the ability to use the remote control interface known as Redfish to deliver malicious code that runs on any server inside the data.
Until those vulnerabilities are patched using the AMI updates published Thursday, they provide a way for malicious hackers — both funded and state-sponsored — to gain critical access to some of the world’s most critical cloud environments. From there, the attackers can install ransomware and espionage malware that runs at low speed on the infected machine. Successful attackers can also crash servers or reboot for long periods of time that a vulnerable team can’t disrupt. Eclypsium warned that such events could lead to “perpetual enlightenment”.
In a post published on ThursdayEclypsium researchers wrote:
These weaknesses vary in depth from start to finish Advanced to Difficultincluding use of unauthorized remote codes and access to unauthorized devices with superuser permissions. It can be used by remote attackers with access Redfish remote control connections, or from compromised operating systems. Redfish is the successor to the traditional IPMI and provides an API standard for managing server performance and other tools to support the modern data center. Redfish is supported by almost all major server and infrastructure vendors, as well as the OpenBMC firmware project used in modern hyperscale environments.
These weaknesses pose a major threat to the technology delivery infrastructure that underlies cloud computing. In short, weaknesses in the supply chain affect many hardware vendors, which can be supplied to many cloud services. As such these vulnerabilities can pose a risk to the servers and equipment that the organization owns directly and the equipment that supports the cloud services that it uses. It may also affect developing organizations and should be discussed with the three parties as part of the public safety due diligence process.
BMCs are designed to provide administrators with complete and remote control over the servers they manage. AMI is the leading supplier of BMCs and BMC firmware for various hardware vendors and cloud service providers. As a result, these vulnerabilities affect many devices, and can allow attackers to control or destroy not only devices but also data centers and cloud service infrastructure. The same misconceptions can affect data center equipment in different locations that are part of the same service provider, and can challenge the assumptions that cloud providers (and their customers) often make when managing risk management and business continuity.
The researchers also realized that if they can find the vulnerable content and document the incident after analyzing publicly available sources, there is nothing to stop bad actors from doing the same. And even without access to the source, the vulnerabilities can still be discovered by extracting the BMC firmware images. There is no indication that the bad parties have done this, but there is also no way to know that they haven’t.
The researchers privately notified AMI of the vulnerability, and the company developed firmware patches, which are available to customers via the Internet. banned support page. AMI has also issued an advisory Here.