BMC vulnerabilities in Supermicro servers allow remote takeover, data exfiltration attacks
A slew of vulnerabilities affecting the baseboard management controllers (BMCs) of Supermicro servers could be exploited by remote attackers to gain access to corporate networks, Eclypsium researchers have discovered.
The flaws, collectively dubbed USBAnywhere, could allow attackers to connect to a server and connect a device to it remotely, over any network including the Internet, as if they had physical access to a server’s USB port.
What are baseboard management controllers?
BMCs are specialized microcontrollers embedded on a server’s motherboard that allow sysadmins to perform low-level tasks without having to go where the server is located.
BMCs receive information from the various sensors built into the computer, allowing system administrators to be notified if something goes physically wrong with the system (e.g., overheating) and do something about it remotely.
They also allow sysadmins to load or upgrade software from a device that’s not physically plugged into the server (e.g., mount an OS installation ISO), or to remotely interact with the server via a “virtual” keyboard and mouse.
The vulnerabilities and their exploitation potential
“The problem stems from several issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media. When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass,” Eclypsium researchers explained .
“These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all. Once credentials are obtained, an attacker can then perform any of a large number of USB-based attacks against the server remotely including data exfiltration, booting from untrusted OS images, or direct manipulation of the system via a virtual keyboard and mouse.”
In this video, they demonstrated a data exfiltration attack.
Ideally, BMCs should not be exposed on the Internet, but the researchers found 92,000 via a simple SHODAN search. Another scan looking at TCP port 623 revealed 47,339 BMCs from over 90 different countries with the affected virtual media service publicly accessible.
Mitigation advice
The vulnerabilities have been disclosed to Supermicro in June and the company has already issued new versions of the BMC software to address them. It is now on administrators to implement them.
“Industry best practice is operating BMCs on an isolated private network not exposed to the internet, which would reduce, but not eliminate the identified exposure,” Supermicro explains.
“Another potential interim remediation is to disable Virtual Media by blocking TCP port 623 and then upgrade to the latest security fix for BMC/IPMI firmware at a later date.”
For the time being, there is no indication that these flaws are being exploited in the wild.
More information about Eclypsium’s findings can be found here.