Critical ‘Pantsdown’ BMC Vulnerability Affects QCT Servers Used in Data Centers
Quanta Cloud Technology (QCT) servers have been identified as vulnerable to the severe “Pantsdown” Baseboard Management Controller (BMC) flaw, according to new research published today.
“An attacker running code on a vulnerable QCT server would be able to ‘hop’ from the server host to the BMC and move their attacks to the server management network, possibly continue and obtain further permissions to other BMCs on the network and by doing that gaining access to other servers,” firmware and hardware security firm Eclypsium said.
A baseboard management controller is a specialized system used for remote monitoring and management of servers, including controlling low-level hardware settings as well as installing firmware and software updates.
Tracked as CVE-2019-6260 (CVSS score: 9.8), the critical security flaw came to light in January 2019 and relates to a case of arbitrary read and write access to the BMC’s physical address space, resulting in arbitrary code execution.
Successful exploitation of the vulnerability can provide a threat actor with full control over the server, making it possible to overwrite the BMC firmware with malicious code, deploy persistent malware, exfiltrate data, and even brick the system.
Impacted QCT server models include D52BQ-2U, D52BQ-2U 3UPI, D52BV-2U, which come with BMC version 4.55.00 that runs a version of BMC software vulnerable to
Pantsdown. Following responsible disclosure on October 7, 2021, a patch has been made privately available to customers on April 15.
The fact that a three-year-old weakness still continues to exist underscores the need to fortify firmware-level code by applying updates in a timely fashion and regularly scanning the firmware for potential indicators of compromise.
Firmware security is particularly crucial in light of the fact that components like BMC have emerged as a lucrative target of cyberattacks aimed at planting stealthy malware such as iLOBleed that’s designed to completely wipe a victim server’s disks.
To mitigate such risks, it’s reminded that organizations relying on QCT products should verify the integrity of their BMC firmware and update the component to the latest version as and when the fixes become available.
“Adversaries are getting increasingly comfortable wielding firmware-level attacks,” the company said. “What is important to note is how knowledge of firmware-level exploits has increased over the years: what was difficult in 2019 is almost trivial today.”