Enjoy the holiday weekend, America? Well-rested? Good. Supermicro server boards can be remotely hijacked

Virtual USB hub allows attackers to get into BMCs

Tens of thousands of servers around the world are believed to be hosting a vulnerability that would allow an attacker to remotely commandeer them.

The team at Eclypsium says it has discovered a set of flaws it refers to as USBAnywhere that, when exploited, would potentially allow an attacker to take over the baseboard management controller (BMC) for three different models of server boards: the X9, X10, and X11.

BMCs are designed to be a sort of always-on remotely accessible "computer within the computer" that allow admins to connect to a server over the network and perform critical maintenance tasks, like updating the OS or firmware.

Ideally, BMCs are locked down within the network in order to prevent access by anyone outside of the company. In some cases, larger companies even opt to use their own BMC firmware that is fine-tuned for their data centers and applications.

In a few cases, however, those BMCs are left open to the internet and can be managed over a web interface – usually very easily since they aren't typically designed with security in mind. Here is where the vulnerabilities discovered by Eclypsium come in.

The target of the attack is the virtual media application that Supermicro uses for its BMC management console. This application allows admins to remotely mount images as USB devices, a useful tool to manage servers but also a security liability.

"This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely," Eclypsium said.

"The combination of easy access and straightforward attack avenues can allow unsophisticated attackers to remotely attack some of an organization’s most valuable assets." The team found four different flaws within the virtual media service (on TCP port 623) of the BMC's web control interface.

They included the use of plaintext authentication and unauthenticated network traffic, as well as weak encryption and an authentication bypass flaw in the X10 and X11 platforms that allows new clients on the virtual media service to run with the old client's permissions.

Two execs in a server room. Has to have happened some time heh. Photo by Shutterstock

Can we talk about the little backdoors in data center servers, please?


According to Eclypsium, the easiest way to attack the virtual media flaws is to find a server with the default login or brute-force an easily guessed login. In other cases, the flaws would have to be targeted.

"If a valid administrator had used virtual media since the BMC was last powered off, the authentication bypass vulnerability would allow an attacker to connect even without the proper username and password," the report explains.

"Given that BMCs are intended to be always available, it is particularly rare for a BMC to be powered off or reset. As a result, the authentication bypass vulnerability is likely to be applicable unless the server has been physically unplugged or the building loses power."

What's worse, Eclypsium believes that tens of thousands of servers contain this vulnerability and are open to the internet. A quick Shodan search on port 623 turned up 47,339 different BMCs around the world.

Fortunately, there is a fix out. Eclypsium said it has already contacted Supermicro and the vendor has released an update to fix the vulnerabilities. Organizations are advised to contact their server vendor and make sure they are running the latest version of the BMC firmware. ®

Narrower topics

Other stories you might like

  • Five Eyes nations reveal 2021's fifteen most-exploited flaws
    Malicious cyber actors go after 2021's biggest misses, spend less time on the classics

    Security flaws in Log4j, Microsoft Exchange, and Atlassian's workspace collaboration software were among the bugs most frequently exploited by "malicious cyber actors" in 2021 , according to a joint advisory by the Five Eyes nations' cybersecurity and law enforcement agencies.

    It's worth noting that 11 of the 15 flaws on the list were disclosed in 2021, as previous years' lists often found miscreants exploiting the older vulns for which patches had been available for years.

    Of course, the US Cybersecurity and Infrastructure Security Agency (CISA) and friends note that malicious cyber actors have not stopped trying to exploit older flaws – but reckon those efforts are happening to a "lesser extent" than in the past.

    Continue reading
  • Supermicro's 'universal GPU' system welcomes all elements
    Biz claims ultra-composable server platform is future-proof

    Supermicro’s new "Universal GPU" servers, announced on Monday, is as equal-opportunity as silicon tech can get – it does not discriminate on CPUs, GPUs, storage, and networking technologies.

    The boxen can be constructed in a number of ways to include processors from Intel and AMD, and graphics accelerators from AMD and Nvidia. It can be further customized to include proprietary technologies that include Nvidia's NVLink or AMD's Infinity Fabric interconnects to link up multiple GPUs.

    The datacenter-class systems, which will come in 4U or 5U sizes, have a “modular” architecture based on standards established by the Open Compute Project, such as the OCP Accelerator Modules (OAM). The modular approach allows for more economical CPU and GPU upgrades without replacing entire systems, Supermicro said.

    Continue reading
  • FYI: Support ends for older Visual Studio versions in April
    Showers of work for admins

    Microsoft has dropped a gentle reminder that the clock is ticking for older versions of Visual Studio.

    April is set to be a busy month for VS admins. Mainstream support for Visual Studio 2017 ends on 12 April (although there will be another five years of security fixes for v15.9). Support for Visual Studio 2019 v16.7 ends on 12 April, necessitating a hop to v16.11 (which keeps mainstream support to April 2024) or going direct to Visual Studio 2022.

    Or you could opt for an entirely new set of tools. There are some worthy alternatives out there, not least Microsoft's own Visual Studio Code. Then again, things do move rather quickly these days, and for many the familiar moth-eaten blanket of Microsoft's development environment is a comfort even if it is now garbed in 64-bit clothes.

    Continue reading

Biting the hand that feeds IT © 1998–2022