Supermicro BMCs Expose Corporate Networks to Remote Attacks

Supermicro BMCs Expose Corporate Networks to Remote Attacks

1 Star2 Stars3 Stars4 Stars5 Stars (1 stemmer, gennemsnit: 4.00 ud af 5)
Loading ...

Myriad vulnerabilities were discovered in the so-called baseboard management controllers (BMCs) of Supermicro servers. The flaws could be exploited in remote attacks and could grant access to corporate networks. Eclypsium researchers dubbed the vulnerabilities USBAnywhere.

Billede: Eclypsium

USBAnywhere Vulnerabilities Explained

The vulnerabilities are located in the baseboard management controllers (BMCs) of Supermicro servers, and could allow an attacker to easily connect to a server and virtually mount any USB device of their choosing to the server, remotely over any network including the Internet, Eclypsium forklarede.

I det mindste 47,000 systems are vulnerable to attacks, as their BMCs are exposed to the Internet. It should be noted that the same flaws can be exploited by threat actors who gain access to a corporate network.

But what exactly is a baseboard management controller, a.k.a. BMC? A BMC is a specific service processor designed to monitor the physical state of a computer, network server or other hardware device using sensors and communicating with the system administrator through an independent connection. The BMC is in fact part of the Intelligent Platform Management Interface (IPMI) and is typically located in the motherboard or main circuit board of the device to be monitored.

Relaterede: CVE-2019-1867: Meget kritisk fejl i Cisco Elastisk Services Controller

Endvidere, BMCs should aid administrators in carrying out out-of-band management of a server, which makes them highly privileged components.

In the current case, the vulnerabilities lie in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media. This is the ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive:

When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass. These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all, forskerne sagde.

The issue stems from the connection of the virtual media service with the host system, which is in fact similar to a raw USB device connection:

This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely.

The heart of the problem lies within the small Java application which aids the access to the media service. The application connects to the media service via TCP port 623 on the BMC. A custom packet-based format is used to authenticate the client and transport the USB packets between the client and the server.

Relaterede: CVE-2019-9569 and the Real Danger of HVACking

Here are the issues the researchers discovered:

Plaintext AuthenticationWhile the Java application uses a unique session ID for authentication, the service also allows the client to use a plaintext username and password.
Unencrypted network trafficEncryption is available but must be requested by the client.
Weak encryptionWhen encryption is used, the payload is encrypted with RC4 using a fixed key compiled into the BMC firmware. This key is shared across all Supermicro BMCs. RC4 has multiple published cryptographic weaknesses and has been prohibited from use in TLS (RFC7465).
Authentication Bypass (X10 and X11 platforms only) – After a client has properly authenticated to the virtual media service and then disconnected, some of the service’s internal state about that client is incorrectly left intact.

The worst part is that all these issues combined create several attack scenarios. The good news is that Eclypsium reported their findings to Supermicro. The vendor has already released patches on its website for Supermicro X9, X10, and X11.


Milena Dimitrova

En inspireret forfatter og indhold leder, der har været med SensorsTechForum for 4 år. Nyder ’Mr. Robot’og frygt’1984’. Fokuseret på brugernes privatliv og malware udvikling, hun tror stærkt på en verden, hvor cybersikkerhed spiller en central rolle. Hvis almindelig sund fornuft giver ingen mening, hun vil være der til at tage noter. Disse noter senere kan blive til artikler!

Flere indlæg

Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Del på Facebook Del
Loading ...
Del på Twitter Tweet
Loading ...
Del på Google Plus Del
Loading ...
Del på Linkedin Del
Loading ...
Del på Digg Del
Del på Reddit Del
Loading ...
Del på Stumbleupon Del
Loading ...