A vulnerability in the baseboard management controllers (BMCs) of Supermicro serverboards – a component that provides “virtually omnipotent control over a server and its contents” – allows an attacker to compromise servers by virtually mounting a USB device of their choosing, remotely over any network, including the internet.
The Supermicro vulnerability, disclosed today by firmware security specialists Eclypsium would allow the attacker to boot the machine from a malicious USB image, exfiltrate data over a USB mass storage device, or use a virtual USB Rubber Ducky (a USB device able to craft payloads capable of changing system settings, opening backdoors, retrieving data, initiating reverse shells, etc. within seconds).
Over 47,000 BMCs in 90 different countries are running vulnerable servers that are publicly accessible on the internet, it added. Based on a Shodan scan, a significant 4,531 of those are in the UK: Supermicro hardware is widely used in the financial services sector in the UK. The vast majority (over 29,000) are in the US.
The disclosure is the latest in a run of bad news for the company, which in 2018 was rocked by a hugely controversial Bloomberg story that claimed its hardware had been compromised by Chinese military intelligence. Customers including Amazon and Apple, along with Supermicro itself rejected these claims outright.
The Portland-based company said in a blog post detailing the vulnerability: “The problem stems from several issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media, an ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive. When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass.”
Supermicro Vulnerability: Firmware Patch and Workarounds
Supermicro “quickly responded” to disclosure of the issue, Eclypsium said.
It has pushed out a software patch that resolves the issue and proposed two potential remediations for those, for whatever reason, that are unable to patch urgently.
Supermicro said: “Industry best practice is operating BMCs on an isolated private network not exposed to the internet, which would reduce, but not eliminate the identified exposure. Another potential interim remediation is to disable virtual media by blocking TCP port 623 and then upgrade to the latest security fix.”
The issue would let an attacker capture a legitimate user’s authentication packet using default credentials, and in some cases, without any credentials at all.
Eclypsium noted: “Once connected, the virtual media service allows the attacker to interact with the host system as a raw USB device. This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely. The combination of easy access and straightforward attack avenues can allow unsophisticated attackers to remotely attack some of an organization’s most valuable assets.”
Eclypsium made waves in February by leasing an IBM Cloud bare metal server, compromising it, re-releasing it into IBM’s hardware pool and then accessing it when it was being used to run another cloud client’s workloads.
It has shared full technical details in a GitHub repo.
