According to Eclypsium researchers, a wide range of vulnerabilities impacting the baseboard management controllers (BMCs) of Supermicro servers could be misused by remote attackers to get access to corporate networks.
Collectively called USBAnywhere, the faults could let attackers link to a server and connect a device to it remotely as if they had physical access to a server’s USB port.
BMCs are specific microcontrollers entrenched on a server’s motherboard that let sysadmins carry out low-level errands without having to go where the BMCs receive information from the numerous sensors built into the computer.
“The problem stems from several issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media. When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass,” Eclypsium researchers explained .
“These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all. Once credentials are obtained, an attacker can then perform any of a large number of USB-based attacks against the server remotely including data exfiltration, booting from untrusted OS images, or direct manipulation of the system via a virtual keyboard and mouse.”
Preferably, BMCs should not be uncovered on the Internet, but the researchers found 92,000 via a simple SHODAN search.
The vulnerabilities have been revealed to Supermicro in June and the company has already dispensed new versions of the BMC software to address them. It is now on administrators to enforce them.
“Industry best practice is operating BMCs on an isolated private network not exposed to the internet, which would reduce, but not eliminate the identified exposure,” Supermicro explains.
“Another potential interim remediation is to disable Virtual Media by blocking TCP port 623 and then upgrade to the latest security fix for BMC/IPMI firmware at a later date.”
Right now, there is no sign that these faults are being exploited in the wild.