Researchers have disclosed the existence of the critical "Pantsdown" vulnerability in some Quanta Cloud Technology (QCT) server models. 

Security

Cyber security 101: Protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read now

On Thursday, cybersecurity firm Eclypsium said that several servers belonging to the data center solutions provider were still vulnerable to the bug, which has been publicly known for years now. 

The vulnerability, tracked as CVE-2019-6260, was first discovered in January 2019. At the time one security researcher described it as "the nature of feeling that we feel that we've caught chunks of the industry with their...."

CVE-2019-6260, issued a CVSS severity score of 9.8, or critical, is a vulnerability in ASPEED Baseband Management Controller (BMC) hardware & firmware. AHB bridges, in particular, can be exploited for arbitrary read/write access, leading to information leaks, code execution, data tampering or theft, or denial-of-service (DoS) attacks. 

At the time of disclosure, Pantsdown impacted multiple firmware BMC stacks including AMI, SuperMicro, and OpenBMC (up to v.2.6).

Exploits exist in the wild that harness the Pantsdown bug, potentially placing enterprise servers at risk. 

According to Eclypsium, some QCT server models are still vulnerable to CVE-2019-6260. The team tested a QuantaGrid D52B rackmount server containing update package version 1.12 -- with a release date of 2019.04.23 -- and BIOS version 3B13, as well as BMC version 4.55.00. 

"This same firmware package names support for D52BQ-2U, D52BQ-2U 3UPI, and D52BV-2U models of the server," the team noted. "On inspection, we found that the server contained an Aspeed 2500 BMC (AST2500(A2)) and was running a version of AMI-based BMC software vulnerable to Pantsdown."

During tests, the researchers were able to patch the web server code while it was running in memory on the BMC by exploiting CVE-2019-6260, granting themselves read/write access to memory. Furthermore, they could replace it with their own crafted code to trigger a reverse shell whenever a user attempted to connect to the server or refresh its linked webpage. 

Eclypsium created proof-of-concept (PoC) code that they say "demonstrates how even an unsophisticated attacker with remote access to the operating system could leverage this vulnerability to gain code execution within the BMC of QCT servers."

The presence of the vulnerability in Quanta servers was disclosed on October 7, 2021. According to Eclypsium, QCT has now patched the vulnerability and new firmware was made available privately to customers. 

Eclypsium VP of Technology, John Loucaides, told ZDNet:

"Unfortunately, we cannot be sure just how many server models are vulnerable. Some of our partners have run our tests on other models and found the same issue. Given that even some major manufacturers did not run comprehensive tests for this, no one is likely to have a complete list."

ZDNet has reached out to Quanta and we will update when we hear back. 

Previous and related coverage

• OpenBMC caught with 'pantsdown' over new security flaw
  
• Microsoft's out-of-band patch fixes Windows AD authentication failures
  
• Misinformation needs tackling and it would help if politicians stopped muddying the water
  

---

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0

---

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next