Researchers detected a new attack vector on servers running on Supermicro motherboards. The whole problem is a new bunch of vulnerabilities – USBAnywhere.
More than 47 thousand workstations and servers are currently vulnerable to remote attacks, since the internal component is open for access from the Web.Detected vulnerabilities affect BMC (Baseboard Management Controller – a controller that implements the logic of IPMI). There is good news too – the developers have already released patches that fix the USBAnywhere problem.
Read also: Google recommends updating Chrome due to vulnerability in Blink engine
Nevertheless, Supermicro employees, as well as a number of security experts, recommend blocking external access to the BMC management interface. USBAnywhere was the first to be reported by Eclypsium researchers.
“At the time of writing, we found at least 47,000 systems with their BMCs exposed to the Internet and using the relevant protocol. It is important to remember that these are only the BMCs that are directly exposed to the Internet. The same issues can be easily exploited by attackers who gain access to a corporate network”, — reported Eclypsium specialists.
According to an expert report, the flaws affect the virtual USB function in the firmware. This feature allows system administrators to connect USB devices to computers, but at the same time manage them as virtual USB.
The Eclypsium team said it was able to identify four security issues:
- The authentication process allowed username and password in plain text.
- Unencrypted network traffic. In general, encryption is provided, but the client must request it.
- Weak encryption. The payload is encrypted with RC4 and using the fixed key that is generated in the BMC firmware. RC4 is known to contain a number of vulnerabilities.
- Authentication bypass (applies only to Supermicro X10 and X11 platforms). The most dangerous of the detected gaps, as it allows an attacker to implement constantly repeating connections to the BMC web interface.
The combination of easy access and straightforward attack avenues can allow unsophisticated attackers remotely attack some of an organization’s most valuable assets. This vulnerability further highlights the importance of monitoring and securing servers beyond the scope of the operating system and applications they run.
Mitigation
Organizations using the Supermicro X9, X10 and X11 platforms are encouraged to visit Supermicro’s Security Center and Virtual Media Vulnerability details page for information on updating BMC firmware on these platforms.
In addition to vendor-supplied updates, organizations should adopt tools to proactively ensure the integrity of their firmware and identify vulnerabilities, missing protections, and any malicious implants in their firmware.