Security Experts:

USBAnywhere: BMC Flaws Expose Supermicro Servers to Remote Attacks

Tens of thousands of servers made by Supermicro could be exposed to remote attacks from the internet due to baseboard management controller (BMC) vulnerabilities identified by researchers at firmware security company Eclypsium.

The BMC, a small computer present on a majority of server motherboards, allows administrators to remotely control and monitor a server without having to access the operating system or applications running on it. The BMC can be used to reboot a device, install operating systems, update firmware, and monitor system parameters.

Researchers from Eclypsium and other companies showed in the past that BMC vulnerabilities can pose a serious risk. Eclypsium on Tuesday reported finding more BMC flaws that appear to be specific to Supermicro servers.

The security holes, collectively tracked as USBAnywhere, affect a virtual media service implemented on Supermicro X9, X10 and X11 servers. The impacted service is designed to allow users to remotely connect a disk image as a virtual USB, CD or floppy drive.

Supermicro servers exposed to USBAnywhere attacks

“When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass. These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all,” Eclypsium said in a blog post.

The company added, “Once connected, the virtual media service allows the attacker to interact with the host system as a raw USB device. This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely. The combination of easy access and straightforward attack avenues can allow unsophisticated attackers to remotely attack some of an organization’s most valuable assets.”

Rick Altherr, Principal Engineer at Eclypsium, has described for SecurityWeek the steps an attacker would need to take to exploit the USBAnywhere vulnerabilities. First, they would have to scan the entire IPv4 address space. They can use a tool such as the open source masscan to perform a SYN scan for TCP port 623, which takes roughly 6 hours for all the 4.29 million possible addresses.

They can then send a status request (an unauthenticated command on the virtual media service) to each of the previously identified IPs using a tool such as zgrab2 in order to identify affected BMCs.

Altherr explained:

Once BMCs have been identified, a possible attack scenario is:

1) Attempt to authenticate to the virtual media service with a random username/password. If the attacker is lucky, the authentication bypass vulnerability will log them in even with bogus credentials. If so, skip to #5. Otherwise, proceed to #2.

 

2) Attempt to authenticate to the virtual media service with a username of ADMIN and a password of ADMIN. These are the default username/password for Supermicro BMCs and are frequently unchanged. If this is successful, skip to #5. Otherwise, proceed to #3.

 

3) If the attacker can intercept traffic between the BMC and a legitimate user, the attacker can record the legitimate user's encrypted authentication packet. Due to the weak crypto vulnerability, the attacker can easily decrypt the captured packet and use the credentials to connect to the virtual media service. If successful, go to #5. Otherwise, proceed to #4.

 

4) Since the virtual media service is exposed, it is likely that IPMI (UDP port 623) is also exposed. Existing attacks against IPMI (Authentication Bypass via Cipher 0 and RAKP Authentication Remote Password Hash Retrieval; both described here) can be used to either create a new account on the BMC or to download the password hashes for offline cracking. In a test with our internal servers, I was able to crack all 8 character BMC passwords in ~20h on a rental machine that costs $0.93/hr.

 

5) Use Facedancer to connect a virtual USB Keyboard and virtual USB CD-ROM drive to the host system via the virtual media service. The virtual keyboard is used to send CTRL-ALT-DELETE or other keystrokes to cause the server to reboot. Once the host begins to reboot, the virtual keyboard can then send keystrokes to cause the host system firmware to boot from the virtual CD-ROM. At that point, the attacker has taken control of the host system.

 

If I recall correctly, I ran zgrab2 over 2.7M IP addresses for our study and it took ~12h to complete.

Eclypsium has identified over 47,000 internet-exposed BMCs spread across 90 countries that may be vulnerable to attacks. A significant number of vulnerable BMCs may also be accessible from inside corporate networks.

Eclypsium reported the USBAnywhere vulnerabilities to Supermicro in June and July, and the company also alerted CERT/CC due to the significant number of internet-exposed vulnerable systems. Supermicro X9, X10 and X11 users should look for firmware updates that address the weaknesses.

In recent months, Eclypsium also disclosed potentially serious BMC vulnerabilities in motherboards from Lenovo, Gigabyte and other vendors, and flaws in 40 device drivers from 20 vendors that can be exploited to deploy persistent malware.

Related: Hackers Can Plant Backdoors on Bare Metal Cloud Servers

Related: Servers Can Be Bricked Remotely via BMC Attack

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.