In 2019, a team of researchers discovered Pantsdown, a vulnerability in ASPEED baseboard management controller hardware with a whopping 9.8 CVSS score. Three years later, firmware security vendor Eclypsium is still catching servers with their pants down.
Pantsdown stemmed from exposed debug controls in implementations of ASPEED across multiple vendors, including NetApp who addressed the problem immediately. It poses a fairly substantial problem for users given baseboard management controller positioning. Yet Eclypsium found the vulnerability still unaddressed by Quanta Cloud Technology servers — an issue they see as emblematic of how vendors and enterprise security professionals treat firmware vulnerabilities.
"What's really going on is that this is a case study," John Loucaides, vice president of technology at Eclypsium told SC Media.
Many vendors make BMCs, but the chipsets often come from the same manufacturers. But like many supply chain issues, the vulnerability could not be patched with the upstream vendor's snap of the fingers.
"The problem is that it's not just fixing it once and it works everywhere.The component was embedded differently into each one of these servers. And each one of these servers may or may not contain that vulnerability, Depending on whether or not that particular development team actually locked this down for that model with this version of firmware" said Loucaides.
"And so what that means is that the manufacturers themselves actually have to go run tests to discover which systems are actually vulnerable. Your IT administrators, same deal."
Compounding the problem is that firmware is often beyond the comfort level of many enterprise security practitioners, who most often work above the operating system. Some vendors, at least in Eclypsium's experience, can be fickle about testing for firmware problems or lack the human infrastructure to handle problems of this scope confidently.
Ultimately, Eclypsium believes, Pantsdown caught the industry with its pants down.
Eclypsium said Quanta Cloud Technologies informed them that it had created a patch available upon customer request, but was not pushing it to users or publicizing that it exists. Quanta did not immediately reply to a request for comment.
"Firmware has this obscure place in the world that it's rather important, makes everything work. But it's also rather hidden, right where people won't think about it and it's designed," Loucaides said.
While he could not speak for Quanta specifically, it has led the industry as a whole to treat firmware patches as optional.
"I found a couple of BIOS updates in the past that basically said, Do not install BIOS updates unless you actually have a problem," he said.
While firmware attacks have traditionally been the domain of nation-states, there is no guarantee that criminals will treat them that way for long. The Robbinhood ransomware, for example, which struck municipalities in 2019, relied on firmware.
"It's actually easier and easier year over year. For example, this this issue is a 2019 CV. It's been out there for years," Loucaides said.