Myriad vulnerabilities were discovered in the so-called baseboard management controllers (BMCs) of Supermicro servers. The flaws could be exploited in remote attacks and could grant access to corporate networks. Eclypsium researchers dubbed the vulnerabilities USBAnywhere.
Image: Eclypsium
USBAnywhere Vulnerabilities Explained
The vulnerabilities are located in the baseboard management controllers (BMCs) of Supermicro servers, and could allow an attacker to easily connect to a server and virtually mount any USB device of their choosing to the server, remotely over any network including the Internet, Eclypsium explained.
At least 47,000 systems are vulnerable to attacks, as their BMCs are exposed to the Internet. It should be noted that the same flaws can be exploited by threat actors who gain access to a corporate network.
But what exactly is a baseboard management controller, a.k.a. BMC? A BMC is a specific service processor designed to monitor the physical state of a computer, network server or other hardware device using sensors and communicating with the system administrator through an independent connection. The BMC is in fact part of the Intelligent Platform Management Interface (IPMI) and is typically located in the motherboard or main circuit board of the device to be monitored.
Furthermore, BMCs should aid administrators in carrying out out-of-band management of a server, which makes them highly privileged components.
In the current case, the vulnerabilities lie in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media. This is the ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive:
When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass. These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all, the researchers said.
The issue stems from the connection of the virtual media service with the host system, which is in fact similar to a raw USB device connection:
This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely.
The heart of the problem lies within the small Java application which aids the access to the media service. The application connects to the media service via TCP port 623 on the BMC. A custom packet-based format is used to authenticate the client and transport the USB packets between the client and the server.
Here are the issues the researchers discovered:
Plaintext Authentication – While the Java application uses a unique session ID for authentication, the service also allows the client to use a plaintext username and password.
Unencrypted network traffic – Encryption is available but must be requested by the client.
Weak encryption – When encryption is used, the payload is encrypted with RC4 using a fixed key compiled into the BMC firmware. This key is shared across all Supermicro BMCs. RC4 has multiple published cryptographic weaknesses and has been prohibited from use in TLS (RFC7465).
Authentication Bypass (X10 and X11 platforms only) – After a client has properly authenticated to the virtual media service and then disconnected, some of the service’s internal state about that client is incorrectly left intact.
The worst part is that all these issues combined create several attack scenarios. The good news is that Eclypsium reported their findings to Supermicro. The vendor has already released patches on its website for Supermicro X9, X10, and X11.