Cloudflare’s approach to handling BMC vulnerabilities

Recent cyber attacks on servers like Baseboard Management Controllers (BMCs) have targeted vulnerabilities such as Pantsdown and USBAnywhere, leaving servers vulnerable due to infrequent firmware updates. Cloudflare has discovered new critical vulnerabilities in popular BMC software used in their fleet. These vulnerabilities can enable ransomware propagation, server bricking, and data theft. To mitigate the impact of these vulnerabilities, Cloudflare has updated firmware, reduced exposure of BMC remote and local interfaces, disabled default passwords, and enabled BMC logging and auditing. Additionally, they are moving forward with OpenBMC, an open-source firmware for supported baseboard management controllers, and extending secure boot capabilities to the very first device that has power to their systems.