QCT servers get impacted by the BMC flaw dubbed Pantsdown

May 30, 2022
QCT Servers BMC Flaw Vulnerability Pantsdown Quanta Cloud Technology

A critical firmware flaw posed risks for many Quanta Cloud Technology (QCT) server models supporting hyperscale data centre operations and cloud provider infrastructure. The flaw, based on researchers, could allow cyberattacks that can hack and control the compromised servers and be spread all over other servers within the same network.

Dubbed Pantsdown, the CVE-2019-6260 vulnerability affected the QCT server models. First found in 2019, the flaw originally impacted the BMC or baseboard management controller technology on many firmware stacks utilised by updated servers.

The BMC technology allows remote admins to control a server, manage low-level hardware settings, manage virtual applications, and update host operating systems. Many servers that use BMC for management use Intelligent Platform Management Interface (IPMI) controlled groups that share one password. This privilege attracts threat actors since it would be easy for them to move laterally on different systems upon compromising one BMC.

The flaw had recorded several reports of cyberattacks against firms back in 2013. The latest one was last January, when threat actors used BMC implants through iLOBleed attacks that had compromised massive HPE servers.

 

The Pantsdown critical vulnerability affecting the QCT servers has a 9.8 CVSS score.

 

According to security experts, the Pantsdown flaw could give an attacker the power to control a server, drop ransomware, steal sensitive data, and disable the entire server. Once the attackers have also gained remote code execution within BMC, they will be able to steal its credentials, allowing them to spread all over other servers inside one IPMI group.

Many tests have been performed to develop a PoC against QCT servers, giving them the most updated firmware package that any customer could access on the QCT website download page.

The POC attack developed by the security experts has patched a web server code that ran in memory within BMC and replaced it with malicious code that triggers a reverse shell execution upon users refreshing a webpage or connecting to a server. Moreover, it is important to note that the POC requires the threat operator to gain root access on the physical server routinely provided by default as users rent a server’s bare metal instance.

Hackers could gain root access through web-facing app exploitations and escalate their access privileges. Security researchers conclude that this issue highlights how essential it is for companies to verify a BMC firmware’s integrity being run on their systems.

About the author