On Thursday, cybersecurity firm Eclypsium said that several servers belonging to the data center solutions provider were still vulnerable to the bug, which has been publicly known for years now. The vulnerability, tracked as CVE-2019-6260, was first discovered in January 2019. At the time one security researcher described it as “the nature of feeling that we feel that we’ve caught chunks of the industry with their….” CVE-2019-6260, issued a CVSS severity score of 9.8, or critical, is a vulnerability in ASPEED Baseband Management Controller (BMC) hardware & firmware. AHB bridges, in particular, can be exploited for arbitrary read/write access, leading to information leaks, code execution, data tampering or theft, or denial-of-service (DoS) attacks. At the time of disclosure, Pantsdown impacted multiple firmware BMC stacks including AMI, SuperMicro, and OpenBMC (up to v.2.6). Exploits exist in the wild that harness the Pantsdown bug, potentially placing enterprise servers at risk. According to Eclypsium, some QCT server models are still vulnerable to CVE-2019-6260. The team tested a QuantaGrid D52B rackmount server containing update package version 1.12 – with a release date of 2019.04.23 – and BIOS version 3B13, as well as BMC version 4.55.00. “This same firmware package names support for D52BQ-2U, D52BQ-2U 3UPI, and D52BV-2U models of the server,” the team noted. “On inspection, we found that the server contained an Aspeed 2500 BMC (AST2500(A2)) and was running a version of AMI-based BMC software vulnerable to Pantsdown.” During tests, the researchers were able to patch the web server code while it was running in memory on the BMC by exploiting CVE-2019-6260, granting themselves read/write access to memory. Furthermore, they could replace it with their own crafted code to trigger a reverse shell whenever a user attempted to connect to the server or refresh its linked webpage. Eclypsium created proof-of-concept (PoC) code that they say “demonstrates how even an unsophisticated attacker with remote access to the operating system could leverage this vulnerability to gain code execution within the BMC of QCT servers.” The presence of the vulnerability in Quanta servers was disclosed on October 7, 2021. According to Eclypsium, QCT has now patched the vulnerability and new firmware was made available privately to customers. Eclypsium VP of Technology, John Loucaides, told ZDNet: ZDNet has reached out to Quanta and we will update when we hear back.
Previous and related coverage
OpenBMC caught with ‘pantsdown’ over new security flawMicrosoft’s out-of-band patch fixes Windows AD authentication failuresMisinformation needs tackling and it would help if politicians stopped muddying the water
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0