Researchers from security company Eclypsium have uncovered a set of USB vulnerabilities in in the baseboard management controller (BMC) on Supermicro’s server boards (models X9, X10 and X11) that could allow attackers to hijack thousands of servers. The researchers, the same ones who warned earlier that Supermicro's servers can be easily backdoored, named the vulnerabilities USBAnywhere.
Taking Over Supermicro’s Servers Remotely
BMC is a 'computer within a computer,' much like Intel’s often-criticized Management Engine (ME), that allows IT administrators to remotely control and update computers on a network. Normally, the BMC is locked within a network, so that it can’t be remotely accessed from outside of said network. However, not everyone does that, sometimes on purpose, if they would like to access some servers over a web interface.
These interfaces aren’t typically designed with security in mind, either, which makes it that much easier for attackers to find existing vulnerabilities and exploit them. In this particular instance, the Eclypsium researchers found a vulnerability in the BMC feature that allowed IT admins to remotely mount images as USB devices.
This could be exploited because it essentially gives hackers the ability to take over a device remotely as if they had local USB access to the machine. For instance, the attackers could install a new operating system or implant malware via the remote USB access.
BMC Vulnerabilities
The Eclypsium team found four vulnerabilities. These flaws included included using plaintext authentication and unauthenticated network traffic, weak encryption for the remote connection and an authentication bypass flaw in the Supermicro X10 and X11 platforms that would allow new clients on the virtual media service to use an old client's permissions.
The Eclypsium researchers noted:
"If a valid administrator had used virtual media since the BMC was last powered off, the authentication bypass vulnerability would allow an attacker to connect even without the proper username and password.”
The security team that uncovered the bugs believes that tens of thousands of Supermicro servers could be open to this attack. The Eclypsium researchers said they contacted Supermicro, which has issued a fix for its server motherboards, but Supermicro’s customers will still need to install the update for protection against USBAnywhere attacks.
