hacking-bmc-server
Enterprise servers powered by Supermicro motherboards can remotely be compromised by virtually plugging in malicious USB devices, cybersecurity researchers at firmware security company Eclypsium told The Hacker News.

Yes, that's correct. You can launch all types of USB attacks against vulnerable Supermicro servers without actually physically accessing them or waiting for your victim to pick up an unknown, untrusted USB drive and plug it into their computer.

Collectively dubbed "USBAnywhere," the attack leverages several newly discovered vulnerabilities in the firmware of BMC controllers that could let an unauthorized, remote attacker connect to a Supermicro server and virtually mount malicious USB device.

Comes embedded with a majority of server chipsets, a baseboard management controller (BMC) is a hardware chip at the core of Intelligent Platform Management Interface (IPMI) utilities that allows sysadmins to remotely control and monitor a server without having to access the operating system or applications running on it.

In other words, BMC is an out-of-band management system that allows admins to remotely reboot a device, analyze logs, install an operating system, and update the firmware—making it one of the most privileged components in enterprise technology today.

One such BMC ability includes mounting virtual media to connect a disk image as a virtual USB CD-ROM or floppy drive with a remote server.

According to a report published today by Eclypsium and shared with The Hacker News prior to the publication, BMCs on Supermicro X9, X10, and X11 platforms use an insecure implementation to authenticate the client and transport USB packets between client and server.
BMC Vulnerabilities
These weaknesses, listed below, can easily be exploited by a remote attacker to bypass authentication process over virtual media service listening on TCP port 623 or intercept traffic to recover weakly encrypted BMC credentials or totally unencrypted credentials.

  • Plaintext Authentication
  • Unencrypted Network Traffic
  • Weak Encryption
  • Authentication Bypass (X10 and X11 platforms only)

"When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass," the researchers explain.

"These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user's authentication packet, using default credentials, and in some cases, without any credentials at all."
Web Application Firewall

Once connected, the compromised virtual media service lets attackers interact with the host system as a raw USB device, allowing them to perform everything that can be done with physical access to a USB port, including:

  • data exfiltration,
  • implant malware,
  • booting from untrusted OS images,
  • direct manipulation of the system via a virtual keyboard and mouse, and
  • disable the device entirely.

According to the researchers, a scan of TCP port 623 across the Internet revealed more than 47,000 BMCs from over 90 different countries with the affected BMC firmware virtual media service publicly accessible.

Besides exploiting BMCs where virtual media services are directly exposed on the Internet, these flaws can also be exploited by an attacker with access to a closed corporate network or man-in-the-middle attackers within the client-side networks.

The researchers reported their findings to Supermicro in June and July this year. The company acknowledged the issues in August and publicly released a firmware update for their X9, X10 and X11 platforms before September 3rd.

Organizations are therefore encouraged to update their BMC firmware as soon as possible. Moreover, it is important to make sure that BMCs should never be directly exposed to the Internet, as direct exposure to the Internet greatly increases the likelihood of such attacks.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.