Pierluigi Paganini September 03, 2019

USBAnywhere – Tens of thousands of enterprise servers powered by Supermicro motherboards can remotely be compromised by virtually plugging in USB devices.

Tens of thousands of servers worldwide powered by Supermicro motherboards are affected by a vulnerability that would allow an attacker to remotely take over them.

Researchers at firmware security firm Eclypsium discovered multiple vulnerabilities referred as USBAnywhere that could be exploited to potentially allow an attacker to take over the baseboard management controller (BMC) for three different models of Supermicro server boards: the X9, X10, and X11.

“our research has uncovered new vulnerabilities, which we collectively dubbed USBAnywhere, in the baseboard management controllers (BMCs) of Supermicro servers, which can allow an attacker to easily connect to a server and virtually mount any USB device of their choosing to the server, remotely over any network including the Internet.” reads the post published by Eclypsium.

A baseboard management controller (BMC) is a specialized service processor that monitors the physical state of a computer, network server or other hardware device using sensors and communicating with the system administrator through an independent connection. The BMC is part of the Intelligent Platform Management Interface (IPMI) and is usually contained in the motherboard or main circuit board of the device to be monitored.

BMCs allow admins to connect to a server over the network and perform critical maintenance tasks, such as the updated the OS or firmware.

The issues in BMCs on Supermicro X9, X10, and X11 platforms tie the implementation of virtual media to remotely connect a disk image as a virtual USB CD-ROM or floppy drive.

When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass.  An attacker could exploit the flaws to gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and under specific circumstances without providing credentials.

Experts explained that some BMCs are left open online and can be managed over a web interface.

The web interface used by Supermicro servers to connect the BMC allows admins to remotely mount images as USB devices.

“Once connected, the virtual media service allows the attacker to interact with the host system as a raw USB device.” continues the post.

“This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely,”

The researchers discovered four different vulnerabilities affecting the virtual media service listening on TCP port 623 on the BMC:

• use of plaintext authentication;
• unauthenticated network traffic;
• weak encryption;
• an authentication bypass flaw (X10 and X11 platforms only);

Eclypsium warns that attackers can scan the web for servers with the default login or protected by weak credentials.

“Taken together, these weaknesses open several scenarios for an attacker to gain unauthorized access to virtual media. In the simplest case, an attacker could simply try the well-known default username and password for the BMC. However, even if the default password was changed, an attacker could still easily gain access.” continues the analysis.

“If a valid administrator had used virtual media since the BMC was last powered off, the authentication bypass vulnerability would allow an attacker to connect even without the proper username and password,” the report explains.”

At the time of publishing, researchers found at least 47,000 systems with their BMCs exposed to the Internet, most of them in the United States.

Experts also warn of the possibility to exploit the same vulnerabilities by gain access to a corporate network.

“Given the speed with which new BMC vulnerabilities are being discovered and their incredible potential impact, there is no reason for enterprises to risk exposing them directly to the Internet.” concludes Eclypsium.

“BMCs that are not exposed to the Internet should also be carefully monitored for vulnerabilities and threats. While organizations are often fastidious at applying patches for their software and operating systems, the same is often not true for the firmware in their servers. “

Pierluigi Paganini

(SecurityAffairs – USBAnywhere, SuperMicro)

[adrotate banner=”5″]

[adrotate banner=”13″]