IBM updates firmware to fix flaw in cloud server's BMC component

News by Bradley Barth

A vulnerability found in the Baseboard Management Controller (BMC) component of IBM Cloud's Bare Metal Server product could allow attackers to overwrite the firmware and then leverage the compromised firmware to attack future users of the product.

A vulnerability found in the Baseboard Management Controller (BMC) component of IBM Cloud’s Bare Metal Server product could allow attackers to overwrite the firmware and then leverage the compromised firmware to attack future users of the product.

IBM has issued a firmware update to patch the flaw, which the company’s PSIRT team classified as low severity in a blog post published yesterday.

Bare metal servers are servers that are used exclusively at any one time by a single organisation, as opposed to servers shared by multiple unaffiliated companies. IBM Cloud’s BMC component allows remote management of the bare metal server product for the purpose of provisioning, operating system reinstallation, and troubleshooting.

"On some system models offered by IBM Cloud and other cloud providers, a malicious attacker with access to the provisioned system could overwrite the firmware of the BMC. The system could then be returned to the hardware pool, where the compromised BMC firmware could then be used to attack the next user of the system," reads the IBM alert.

"The BMC has limited processing power and memory, which makes these types of attacks difficult. IBM has found no indication that this vulnerability has been exploited for malicious purposes. In addition, all clients of IBM Cloud receive a private network for their BMCs, separate from the private networks containing other clients’ BMCs and unprovisioned BMCs."

In response, IBM is "forcing all BMCs, including those that are already reporting up-to-date firmware, to be reflashed with factory firmware before they are re-provisioned to other customers," the alert continues.

Researchers at Eclypsium say they reported the vulnerability to IBM back in September of 2018. The company disagrees with IBM’s low-severity classification, contending that it’s actually a critical severity based on CVSS 3.0 criteria. Eclypsium’s in-depth analysis of the vulnerability can be found here.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event