View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 3, 2019updated 04 Sep 2019 6:03pm

Supermicro Vulnerability Gives “Virtually Omnipotent Control over a Server and its Contents”

A patch is now available. Those affected can also 1) get their BMC off the internet, or 2) disable virtual media by blocking TCP port 623

By CBR Staff Writer

A vulnerability in the baseboard management controllers (BMCs) of Supermicro serverboards – a component that provides “virtually omnipotent control over a server and its contents” – allows an attacker to compromise servers by virtually mounting a USB device of their choosing, remotely over any network, including the internet.

The Supermicro vulnerability, disclosed today by firmware security specialists Eclypsium would allow the attacker to boot the machine from a malicious USB image, exfiltrate data over a USB mass storage device, or use a virtual USB Rubber Ducky (a USB device able to craft payloads capable of changing system settings, opening backdoors, retrieving data, initiating reverse shells, etc. within seconds).

Over 47,000 BMCs in 90 different countries are running vulnerable servers that are publicly accessible on the internet, it added. Based on a Shodan scan, a significant 4,531 of those are in the UK: Supermicro hardware is widely used in the financial services sector in the UK. The vast majority (over 29,000) are in the US.

The disclosure is the latest in a run of bad news for the company, which in 2018 was rocked by a hugely controversial Bloomberg story that claimed its hardware had been compromised by Chinese military intelligence. Customers including Amazon and Apple, along with Supermicro itself rejected these claims outright.

The Portland-based company said in a blog post detailing the vulnerability: “The problem stems from several issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media, an ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive. When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass.”

Supermicro Vulnerability: Firmware Patch and Workarounds

Supermicro “quickly responded” to disclosure of the issue, Eclypsium said.

It has pushed out a software patch that resolves the issue and proposed two potential remediations for those, for whatever reason, that are unable to patch urgently.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Supermicro said: “Industry best practice is operating BMCs on an isolated private network not exposed to the internet, which would reduce, but not eliminate the identified exposure. Another potential interim remediation is to disable virtual media by blocking TCP port 623 and then upgrade to the latest security fix.”

The issue would let an attacker capture a legitimate user’s authentication packet using default credentials, and in some cases, without any credentials at all.

Eclypsium noted: “Once connected, the virtual media service allows the attacker to interact with the host system as a raw USB device. This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely. The combination of easy access and straightforward attack avenues can allow unsophisticated attackers to remotely attack some of an organization’s most valuable assets.”

Eclypsium made waves in February by leasing an IBM Cloud bare metal server, compromising it, re-releasing it into IBM’s hardware pool and then accessing it when it was being used to run another cloud client’s workloads.

It has shared full technical details in a GitHub repo.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU