Supermicro fixes BMC software flaws that expose servers to virtual USB attacks

News by Bradley Barth

Researchers found a series of vulnerabilities in Supermicro's baseboard management controller software, which remote attackers could exploit to mount USB devices to affected servers over any network connection

High-tech manufacturer Supermicro this week issued an update for its baseboard management controller (BMCs) software, after researchers found a series of vulnerabilities that remote attackers could exploit to mount USB devices to affected servers over any network connection, including the internet.

The bugs affect Supermicro’s X9, X10, X11, H11 and H12 servers, and are found specifically within the BMC/IMPI Virtual Media function, which normally enables users to attach a disk image to the server as a virtual CD/DVD or floppy drive.

However, "When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass," warns a Sept. 3 blog postfrom Eclypsium, whose researchers uncovered the vulnerabilities and collectively named them USBAnywhere. "These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all."

Such unauthorised access could then allow adversaries to "interact with the host system as a raw USB device," Eclypsium explains, and attack the server is if they actually had physical access to USB ports. Attackers could theoretically load a new operating system image or use a keyboard and mouse "to modify the server, implant malware, or even disable the device entirely."

After downloading the software updates, users can further mitigate the problems by operating BMCs on an isolated private network (and not the internet), and disabling Virtual Media by blocking TCP port 623, Supermicro recommends its own online vulnerability advisory.

At the time Eclypsium published its blog post, its researchers were aware of at least 47,000 systems with their BMCs exposed to the internet and using the affected protocol.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews