Thousands of Supermicro servers vulnerable to remote attack, says security vendor

IT administrators with Supermicro X11, X10 and X9 servers in their environments are being urged to take remediation action to protect the devices after the discovery of a vulnerability that could allow an attacker to remotely access servers through a USB key.

The vulnerability in the baseboard management controller (BMC) was disclosed Tuesday by security vendor Eclypsium, which has found similar bugs in BMCs of other server manufacturers.

The vendor is calling the problem USBAnywhere. Eclypsium suspects at least 47,000 Supermicro systems with their BMCs exposed to the Internet could be open to attack. Others who are connected to a corporate network could be attacked if that network is penetrated.

A BMC allows administrators to perform out-of-band management of a server. Normally, that’s useful as long as the controller has privileged access. However, Eclypsium said the three Supermicro models have a problem with the way their BMCs implement virtual media, an ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive.

“When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass,” indicated the report. “These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all.

“Once connected, the virtual media service allows the attacker to interact with the host system as a raw USB device. This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely. The combination of easy access and straightforward attack avenues can allow unsophisticated attackers to remotely attack some of an organization’s most valuable assets.”

Eclypsium said an attacker could try using the well-known default username and password (admin) for a Supermico BMC. Even if the default password was changed, it argues, an attacker could still easily gain access through the authentication bypass vulnerability, if a valid administrator had used virtual media since the BMC was last powered off,

Supermicro is working on firmware updates. In the meantime it noted industry best practice is to operate BMCs on any company’s server on an isolated private network not exposed to the Internet, which would reduce, but not eliminate, the issue. Another potential interim remediation, Supermicro said, is to disable Virtual Media by blocking TCP port 623 and then upgrade to the latest security fix for BMC/IPMI firmware at a later date.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now