Supermicro BMC exposicion redes corporativas a ataques remotos

Supermicro BMC exposicion redes corporativas a ataques remotos

1 Star2 Stars3 Stars4 Stars5 Stars (1 votos, promedio: 4.00 de 5)
Cargando ...

Myriad vulnerabilidades fueron descubiertas en los llamados controladores de administración de la placa (BMC) de servidores Supermicro. Las fallas podrían ser explotados en los ataques a distancia y podrían permitir el acceso a las redes corporativas. Eclypsium investigadores doblaron las vulnerabilidades USBAnywhere.

Imagen: Eclypsium

USBAnywhere Vulnerabilities Explained

The vulnerabilities are located in the baseboard management controllers (BMC) de servidores Supermicro, and could allow an attacker to easily connect to a server and virtually mount any USB device of their choosing to the server, remotely over any network including the Internet, Eclypsium explicado.

Al menos 47,000 systems are vulnerable to attacks, as their BMCs are exposed to the Internet. It should be noted that the same flaws can be exploited by threat actors who gain access to a corporate network.

But what exactly is a baseboard management controller, a.k.a. BMC? La BMC is a specific service processor designed to monitor the physical state of a computer, network server or other hardware device using sensors and communicating with the system administrator through an independent connection. The BMC is in fact part of the Intelligent Platform Management Interface (IPMI) and is typically located in the motherboard or main circuit board of the device to be monitored.

Relacionado: CVE-2019-1867: Bug muy crítico en Cisco elástica Controlador de Servicios

Además, BMCs should aid administrators in carrying out out-of-band management of a server, which makes them highly privileged components.

In the current case, the vulnerabilities lie in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media. This is the ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive:

When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass. These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, y en algunos casos, without any credentials at all, los investigadores dijeron.

The issue stems from the connection of the virtual media service with the host system, which is in fact similar to a raw USB device connection:

This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely.

The heart of the problem lies within the small Java application which aids the access to the media service. The application connects to the media service via TCP port 623 on the BMC. A custom packet-based format is used to authenticate the client and transport the USB packets between the client and the server.

Relacionado: CVE-2019-9569 and the Real Danger of HVACking

Here are the issues the researchers discovered:

Plaintext AuthenticationWhile the Java application uses a unique session ID for authentication, the service also allows the client to use a plaintext username and password.
Unencrypted network trafficEncryption is available but must be requested by the client.
Weak encryptionWhen encryption is used, the payload is encrypted with RC4 using a fixed key compiled into the BMC firmware. This key is shared across all Supermicro BMCs. RC4 has multiple published cryptographic weaknesses and has been prohibited from use in TLS (RFC7465).
Authentication Bypass (X10 and X11 platforms only) – After a client has properly authenticated to the virtual media service and then disconnected, some of the service’s internal state about that client is incorrectly left intact.

The worst part is that all these issues combined create several attack scenarios. The good news is that Eclypsium reported their findings to Supermicro. The vendor has already released patches on its website for Supermicro X9, X10, and X11.


Milena Dimitrova

Un escritor inspirado y gestor de contenidos que ha estado con SensorsTechForum de 4 año. Disfruta ‘Sr.. Robot’y miedos‘1984’. Centrado en la privacidad de los usuarios y el desarrollo de malware, ella cree firmemente en un mundo donde la seguridad cibernética juega un papel central. Si el sentido común no tiene sentido, ella estará allí para tomar notas. Esas notas pueden convertirse más tarde en artículos!

Más Mensajes

Dejar un comentario

Su dirección de correo electrónico no será publicada. Los campos necesarios están marcados *

Se agotó el tiempo límite. Vuelve a cargar de CAPTCHA.

Compartir en Facebook Compartir
Cargando ...
Compartir en Twitter Pío
Cargando ...
Compartir en Google Plus Compartir
Cargando ...
Compartir en Linkedin Compartir
Cargando ...
Compartir en Digg Compartir
Compartir en Reddit Compartir
Cargando ...
Compartir en Stumbleupon Compartir
Cargando ...