alswart - stock.adobe.com
At least 47,000 Supermicro servers in 90 countries are exposed to the internet with unpatched vulnerabilities in the firmware for their baseboard management controllers (BMCs), security researchers warn.
Supermicro issued a patch after researchers at security firm Eclypsium reported the vulnerabilities, which can allow an attacker to connect to a server and virtually mount any USB device remotely over any network, including the internet.
Dubbed USBAnywhere, the attack could be carried out against vulnerable BMC by attackers who gain access to a corporate network, so the number of vulnerable servers is greater than the 47,000 exposed to the internet, the researchers said.
The vulnerability is serious because BMCs are designed to allow administrators to perform out-of-band management of a server, and as a result are highly privileged components.
The USBAnywhere vulnerability stems from several issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media, which provides the ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive.
When accessed remotely, researchers found that the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass.
Attackers could exploit these issues to gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all, the researchers warn.
Read more about firmware security
- Researchers are warning of vulnerabilities in firmware from a third-party supplier that put some servers from Lenovo, Gigabyte and six other manufacturers at risk.
- Tortuga Logic has launched a firmware security platform that automatically performs security validation of firmware on SoC designs using an existing platform from Cadence.
- A virtual environment's security can make the difference when it comes to malicious attacks, preventing unauthorized OS or firmware codes from running at boot time.
Once connected, the virtual media service allows the attacker to interact with the host system as if it were a directly connected USB device. This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely.
The combination of “easy access and straightforward attack avenues” can allow unsophisticated attackers to attack some of an organisation’s most valuable assets, the researchers warn, advising that BMCs should never be directly exposed to the Internet because this greatly increases the likelihood of an attack.
While it is well-known security best practice to isolate BMCs on their own private and secured network segment, the researchers said many organisations forget or ignore this step, as shown by the fact that a Shodan scan reveals that there are at least 92,000 BMCs easily discoverable on the internet.
Given the speed with which new BMC vulnerabilities are being discovered and their potential impact, the researchers said there is no reason for enterprises to risk exposing them directly to the Internet.
Even EMCs that are not exposed to the internet should be carefully monitored for vulnerabilities and threats, they said, adding that all firmware updates should be applied as soon as possible.
In addition to firmware updates, the researchers said organisations should adopt tools to proactively ensure the integrity of their firmware and identify vulnerabilities, missing protections, and any malicious implants in their firmware.
The USBAnywhere vulnerability highlights the importance of monitoring and securing servers beyond the scope of the operating system and applications they run, the researchers said, noting that servers have an “exceedingly broad firmware attack surface”, of which BMCs are but one example.
Network adapters, physical ports, drives, processors and chipsets, and dozens of other components rely on firmware that contains exploitable vulnerabilities, the researchers warn.
Threats operating at this level can easily subvert traditional security measures and put the device and the integrity of all its data at risk. As such, organisations should begin to treat these layers of security with the attention it deserves,” they said.