Subscribe
  • Home
  • /
  • Security
  • /
  • USBAnywhere flaw exposes Supermicro servers to hackers

USBAnywhere flaw exposes Supermicro servers to hackers

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 04 Sept 2019

Researchers from Eclypsium, a provider of security for firmware and hardware, have uncovered new vulnerabilities in the baseboard management controllers (BMCs) of Supermicro servers.

Collectively named USBAnywhere, the vulnerabilities can enable bad actors to easily connect to a server and virtually mount any USB device to that server, remotely over any network. 

To date, the company has found at least 47 000 systems with their BMCs exposed to the Internet. 

Alarmingly, these are only the BMCs that are directly exposed to the Internet, and the same issues can easily be exploited by hackers who gain access to a corporate network.

Privileged components

According to the researchers, BMCs are highly privileged components, as they were designed to allow administrators to perform out-of-band management of a server. In this case, the problem stems from several issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media, an ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive. 

When accessed remotely, the virtual media service enables plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass. 

In this way, a threat actor can easily gain access to a server, by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all.

Once connected, the virtual media service allows the hacker to interact with the host system as a raw USB device. 

“This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely,” the Eclypsium researchers said. 

In addition, as access is easy and the attack vector straightforward, even unsophisticated attackers would be able to remotely attack a target entity’s most critical assets.  

“It is important to note that BMCs should never be directly exposed to the Internet. While the underlying issues described here would apply to connections over any network, direct exposure to the Internet greatly increases the likelihood of an attack,” they added.

Monitoring firmware integrity

This issue also stresses the importance of monitoring and securing servers beyond the operating system and applications they run. "Servers have an incredibly wide firmware attack surface, of which BMCs are only one element."

Network adapters, physical ports, drives, processors and chipsets, and dozens of other components rely on firmware that contains exploitable vulnerabilities, the researchers explained. Threats operating at this level can easily slip through the traditional security nets, putting the device, the system it is part of, and the integrity of all data stored on that system at risk. 

“Monitoring firmware integrity and deploying firmware security updates are fundamental measures to build solid server security,” the researchers concluded.

Eclypsium disclosed the vulnerability to Supermicro, who quickly responded and collaborated with the Eclypsium team to develop a fix for the vulnerabilities. 

Supermicro has committed to providing firmware updates for its X9, X10 and X11 platforms. Businesses using the Supermicro X9, X10 and X11 platforms are encouraged to visit Supermicro’s Security Center and Virtual Media Vulnerability details page for information on updating BMC firmware on these platforms.


Share