Pantsdown vulnerability affects various BMC stacks as well as OpenBMC on systems using two particular Aspeed chips
An oversight in the firmware for various baseband management controllers (BMCs) can be exploited by miscreants to bury spyware deep inside a server, potentially poisoning it for the next owner.
Malware successfully abusing this security blunder can remain invisible to hypervisor, operating system, and antivirus software, can survive reboots and disk wipes by hiding in the BMC flash memory, potentially infect the OS, and get up to all sorts of other mischief. It requires root-level access to exploit this particular flaw. It affects at least some x86-64 and IBM OpenPOWER boxes, we’re told, and is not tied to any particular host CPU architecture.
One attack scenario would involve an admin reprogramming the BMC chipset so that the next owner of the machine is secretly snooped on by spyware. A system tainted this way could be a bare-metal server in a cloud or data center, cycled through customers as required, or a box resold to a victim. Whoever was using the machine next would likely be none-the-wiser that bootkit-level malware was lurking in the endpoint’s motherboard firmware.
The impact of the security hole will depend greatly on how an organization’s data center is architectured. Large cloud providers, for instance, typically use their own customized BMC firmware that may not be susceptible to this particular attack, or assume the BMC is under the server admin’s control anyway and partition the box accordingly from the rest of the network. Smaller platforms and corporations may not have as tight security, and may be vulnerable to this attack.
BMCs are typically chipsets on server motherboards that are a computer within the computer: they can manage hardware, power-cycle the box, change or reinstall the operating system, and so on, remotely over the network or some other communications channel, allowing sysadmins to perform maintenance from afar without having to get up and pull a machine out of the rack.
