IT administrators with Supermicro X11, X10 and X9 servers in their environments are being urged to take remediation action to protect the devices after the discovery of a vulnerability that could allow an attacker to remotely access servers through a USB key.
The vulnerability in the baseboard management controller (BMC) was disclosed Tuesday by security vendor Eclypsium, which has found similar bugs in BMCs of other server manufacturers.
The vendor is calling the problem USBAnywhere. Eclypsium suspects at least 47,000 Supermicro systems with their BMCs exposed to the Internet could be open to attack. Others who are connected to a corporate network could be attacked if that network is penetrated.
A BMC allows administrators to perform out-of-band management of a server. Normally, that’s useful as long as the controller has privileged access. However, Eclypsium said the three Supermicro models have a problem with the way their BMCs implement virtual media, an ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive.
“When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass,” indicated the report. “These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all.
“Once connected, the virtual media service allows the attacker to interact with the host system as a raw USB device. This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely. The combination of easy access and straightforward attack avenues can allow unsophisticated attackers to remotely attack some of an organization’s most valuable assets.”
Eclypsium said an attacker could try using the well-known default username and password (admin) for a Supermico BMC. Even if the default password was changed, it argues, an attacker could still easily gain access through the authentication bypass vulnerability, if a valid administrator had used virtual media since the BMC was last powered off,
Supermicro is working on firmware updates. In the meantime it noted industry best practice is to operate BMCs on any company’s server on an isolated private network not exposed to the Internet, which would reduce, but not eliminate, the issue. Another potential interim remediation, Supermicro said, is to disable Virtual Media by blocking TCP port 623 and then upgrade to the latest security fix for BMC/IPMI firmware at a later date.
