Security researchers have discovered that at least 47,000 Supermicro severs in 90 countries have unpatched vulnerabilities in the firmware for their baseboard management controllers (BMCs) and this could leave them open to remote attacks.
The security firm Eclypsium found the vulnerabilities and reported them to Supermicro and the company has since issued a patch to fix the issue. However, if left unpatched, the vulnerabilities could be exploited to allow an attacker to connect to a server and virtually mount any USB device over the internet.
The attack, called USBAnywhere, could be carried out against any vulnerable BMC by attackers after gaining access to a corporate network. This means that the number of vulnerable servers could be much higher than the 47,000 which are exposed to the internet.
BMCs are designed to allow administrators to perform out-of-band management of a server and this is why the vulnerability discovered by Eclypsium is so serious.
The USBAnywhere vulnerability arose from several issues in how BMCs on Supermicro’s X9, X10 and X11 platforms implement virtual media which gives administrators the ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive. Eclypsium’s researchers found that, when accessed remotely, the virtual media service allows for plaintext authentication, sends most traffic without encryption, uses a weak encryption algorithm and is susceptible to an authentication bypass.
Potential attackers could exploit these issues to gain access to a server by capturing a legitimate user’s authentication packet, using default credentials or without any credentials at all in some cases. Once a connection has been established, the virtual media service allows an attacker to interact with the host system as if they had directly connected a USB device to it. From here, an attacker could load a new operating system image, use a keyboard and mouse to modify the server, implant malware or even disable the server entirely.
Usually it is recommended that organizations isolate BMCs on their own private and secured network segment. However, Eclypsium found that many organizations forget or choose to ignore this step and the firm used a Shodan scan which revealed that at least 92,000 BMCs are easily discoverable on the internet to illustrate this.
To avoid falling victim to such an attack, Eclypsium recommends that all organizations update their BMC with the latest firmware and that they avoid exposing them directly to the internet as new BMC vulnerabilities are being discovered at a rapid rate.
Via Computer Weekly