More than 47,000 workstations and servers, possibly more, running on Supermicro motherboards are currently open to attacks because administrators have left an internal component exposed on the internet.
These systems are vulnerable to a new set of vulnerabilities named USBAnywhere that affect the baseboard management controller (BMC) firmware of Supermicro motherboards.
Patches are available to fix the USBAnywhere vulnerabilities, but Supermicro and security experts recommend restricting access to BMC management interfaces from the internet, as a precaution and industry best practice.
What are BMCs?
BMCs are components part of the Intelligent Platform Management Interface (IPMI). IPMI is a standard and collection of tools usually found on servers and workstations deployed on enterprise networks. IPMI allows system administrators to manage systems from remote locations, at a level lower and independent from the operating system.
IPMI tools can allow a remote administrator to connect or send instructions to a PC/server and perform various operations, such as modify OS settings, reinstall the OS, or update drivers.
At the core of all IPMI remote management solutions are baseboard management controllers. BMCs are microcontrollers embedded in motherboards that come with their own CPU, storage system, and LAN interface,
BMCs act as an interface between the server/workstation hardware and a remote sysadmin. They are the component that translates all IPMI commands into instructions for the local hardware, and, as a result, have full control over a computer.
Because of the access they have, access to a BMC interface is highly restricted, and they are secured with a password, usually known by a company's sysadmin only.
What are the USBAnywhere vulnerabilities
But in new research published today, security researchers from Eclypsium said they found vulnerabilities in Supermicro's BMC firmware.
These vulnerabilities, which they named USBAnywhere, impact the firmware's virtual USB feature, which lets sysadmins plug a USB into their own computer, but see it as a virtual USB connected to a remotely-managed system, transferring data from their local USB to the remote virtual one.
This feature -- part of the larger BMC virtual media service -- is a small Java application that is served via the standard BMC web interface that ships with Supermicro-based systems.
Eclypsium researchers said they found four issues with the authentication used by this Java application:
● Plaintext Authentication -- While the Java application uses a unique session ID for authentication, the service also allows the client to use a plaintext username and password.
● Unencrypted network traffic -- Encryption is available but must be requested by the client. The Java application provided with the affected systems use this encryption for the initial authentication
packet but then use unencrypted packets for all other traffic.
● Weak encryption -- When encryption is used, the payload is encrypted with RC4 using a fixed key compiled into the BMC firmware. This key is shared across all Supermicro BMCs. RC4 has
multiple published cryptographic weaknesses and has been prohibited from use in TLS (RFC7465).
● Authentication Bypass (Supermicro X10 and X11 platforms only) -- After a client has properly authenticated to the virtual media service and then disconnected, some of the service's internal state about that client is incorrectly intact. As the internal state is linked to the client's socket file descriptor number, a new client that happens to be assigned the same socket file descriptor number by the BMC's
OS inherits this internal state. In practice, this allows the new client to inherit the previous client's authorization even when the new client attempts to authenticate with incorrect credentials.
Supermicro has released patches
Eclypsium reported all four issues to Supermicro, and the vendor released patches on its website for Supermicro X9, X10, and X11 boards.
"We want to thank the researchers who have identified the BMC Virtual Media vulnerability," a Supermicro spokesperson told ZDNet in an email last week.
The vendor also said it worked closely with Eclypsium to validate that the fixes worked as intended, and they should now be safe to use.
"Key changes include wrapping the virtual media service with TLS, removing plaintext authentication functionality, and fixing the bug that led to authentication bypass," Rick Altherr, Principal Engineer at Eclypsium, told ZDNet in an email, about Supermicro's fixes.
The most dangerous bug
Of the four bugs, the fourth is the one that's most likely to cause problems. The bug allows a malicious hacker to initiate repeated connections to the BMC web interface's virtual media service (Java app) until they land on the same server socket that was used by a legitimate admin.
But while exploiting this vulnerability seems like a matter of blind luck, Altherr doesn't recommend that companies take a chance.
"While the exact conditions that lead to socket number reuse in Linux can be complex and thus it is mostly blind luck, the single-user usage model of the virtual media service tends to significantly increase the chances," he told ZDNet.
"In our testing, we were able to reliably exploit the authentication bypass against a BMC weeks after the virtual media service had been used by a legitimate user."
When this happens, the attacker can interact with the BMC, despite not having proper BMC credentials.
While mimicking a USB looks innocuous, the Eclypsium research team said an attacker can "boot the machine from a malicious USB image, exfiltrate data over a USB mass storage device, or use a virtual USB Rubber Ducky that rapidly performs a sequence of carefully crafted keystrokes to perform virtually any other type of hacking against the BMC, the firmware, or the server it manages."
Between 47,000 and 55,000 Supermicro BMCs exposed online
Attacks like these are dangerous when carried out with physical access, but they're even more dangerous when performed via a remote vector like the internet.
"A scan of TCP port 623 across the Internet revealed 47,339 BMCs from over 90 different countries with the affected virtual media service publicly accessible," Eclypsium researchers said.
These systems are now in danger of coming under attack, and potentially getting compromised.
Attackers can plant malware on these systems that can survive OS reinstalls, or even temporarily brick servers, a tactic that can be used to sabotage competitors or for extorting ransom payments from organizations running systems with exposed BMC virtual media ports.
A BinaryEdge search performed by ZDNet before this article's publication found even a larger amount of exposed systems -- with over 55,000 Supermicro IPMI interfaces exposing port 623 online.
The vast majority of these systems were on the networks of data centers and web hosting providers, exposing these companies and their respective customers to USBAnywhere attacks.
Supermicro: Install patches, take BMCs off the internet
"Industry best practice is operating BMCs on an isolated private network not exposed to the internet, which would reduce, but not eliminate the identified exposure," a Supermicro spokesperson told ZDNet last week.
The company recommends that customers install the latest patches to completely mitigate the USBAnywhere attack vector for good.
This isn't the first time that security experts are warning about leaving BMC/IPMI management interfaces accessible from the internet.
In 2013, academics found 100,000 IPMI-enabled systems from three major vendors that were reachable via the internet. At the time, BMC firmware protections weren't a standard, and all those servers were in danger of having their firmware reflashed with malicious versions.