CVE-2019-6260 has been found to be exploitable on several versions of Quanta Cloud Technology (QCT) servers. Also known as “Pantsdown,” the vulnerability enables an attacker to escape the server host into the Baseboard Management Controller (BMC) and move laterally to other servers. This gives attackers access to make firmware-level changes, making persistence and access significantly easier to implement. The issue with QCT servers D52BQ-2U, D52BQ-2U 3UPI, and D52BV-2U was responsibly disclosed to QCT in October, and a patch has been made available to customers privately.
Companies that are impacted by this vulnerability should implement the patch as soon as possible. Firmware-level vulnerabilities are especially lucrative due to the level of access and persistence they provide an attacker. Further, check for Indicators of Compromise (IOC) on affected systems, such as strange or unauthorized external connections, recent undocumented firmware changes or updates, or even an uptick in logged errors.
This vulnerability highlights the importance of keeping up to date on firmware updates and understanding which devices are on company networks. Include firmware in vulnerability scans and device firmware versions in asset management. Also, ensure vendors are keeping their software and firmware up to date, and independently validate remediation of vulnerabilities.
Firmware updates can be particularly sensitive to issues, so a strong change control procedure with a backout plan and vendor support is highly encouraged.