Security Experts:

Connect with us

Hi, what are you looking for?



USBAnywhere: BMC Flaws Expose Supermicro Servers to Remote Attacks

Tens of thousands of servers made by Supermicro could be exposed to remote attacks from the internet due to baseboard management controller (BMC) vulnerabilities identified by researchers at firmware security company Eclypsium.

Tens of thousands of servers made by Supermicro could be exposed to remote attacks from the internet due to baseboard management controller (BMC) vulnerabilities identified by researchers at firmware security company Eclypsium.

The BMC, a small computer present on a majority of server motherboards, allows administrators to remotely control and monitor a server without having to access the operating system or applications running on it. The BMC can be used to reboot a device, install operating systems, update firmware, and monitor system parameters.

Researchers from Eclypsium and other companies showed in the past that BMC vulnerabilities can pose a serious risk. Eclypsium on Tuesday reported finding more BMC flaws that appear to be specific to Supermicro servers.

The security holes, collectively tracked as USBAnywhere, affect a virtual media service implemented on Supermicro X9, X10 and X11 servers. The impacted service is designed to allow users to remotely connect a disk image as a virtual USB, CD or floppy drive.

Supermicro servers exposed to USBAnywhere attacks

“When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass. These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all,” Eclypsium said in a blog post.

The company added, “Once connected, the virtual media service allows the attacker to interact with the host system as a raw USB device. This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely. The combination of easy access and straightforward attack avenues can allow unsophisticated attackers to remotely attack some of an organization’s most valuable assets.”

Rick Altherr, Principal Engineer at Eclypsium, has described for SecurityWeek the steps an attacker would need to take to exploit the USBAnywhere vulnerabilities. First, they would have to scan the entire IPv4 address space. They can use a tool such as the open source masscan to perform a SYN scan for TCP port 623, which takes roughly 6 hours for all the 4.29 million possible addresses.

They can then send a status request (an unauthenticated command on the virtual media service) to each of the previously identified IPs using a tool such as zgrab2 in order to identify affected BMCs.

Altherr explained:

Once BMCs have been identified, a possible attack scenario is:

1) Attempt to authenticate to the virtual media service with a random username/password. If the attacker is lucky, the authentication bypass vulnerability will log them in even with bogus credentials. If so, skip to #5. Otherwise, proceed to #2.


2) Attempt to authenticate to the virtual media service with a username of ADMIN and a password of ADMIN. These are the default username/password for Supermicro BMCs and are frequently unchanged. If this is successful, skip to #5. Otherwise, proceed to #3.


3) If the attacker can intercept traffic between the BMC and a legitimate user, the attacker can record the legitimate user’s encrypted authentication packet. Due to the weak crypto vulnerability, the attacker can easily decrypt the captured packet and use the credentials to connect to the virtual media service. If successful, go to #5. Otherwise, proceed to #4.


4) Since the virtual media service is exposed, it is likely that IPMI (UDP port 623) is also exposed. Existing attacks against IPMI (Authentication Bypass via Cipher 0 and RAKP Authentication Remote Password Hash Retrieval; both described here) can be used to either create a new account on the BMC or to download the password hashes for offline cracking. In a test with our internal servers, I was able to crack all 8 character BMC passwords in ~20h on a rental machine that costs $0.93/hr.


5) Use Facedancer to connect a virtual USB Keyboard and virtual USB CD-ROM drive to the host system via the virtual media service. The virtual keyboard is used to send CTRL-ALT-DELETE or other keystrokes to cause the server to reboot. Once the host begins to reboot, the virtual keyboard can then send keystrokes to cause the host system firmware to boot from the virtual CD-ROM. At that point, the attacker has taken control of the host system.


If I recall correctly, I ran zgrab2 over 2.7M IP addresses for our study and it took ~12h to complete.

Eclypsium has identified over 47,000 internet-exposed BMCs spread across 90 countries that may be vulnerable to attacks. A significant number of vulnerable BMCs may also be accessible from inside corporate networks.

Eclypsium reported the USBAnywhere vulnerabilities to Supermicro in June and July, and the company also alerted CERT/CC due to the significant number of internet-exposed vulnerable systems. Supermicro X9, X10 and X11 users should look for firmware updates that address the weaknesses.

In recent months, Eclypsium also disclosed potentially serious BMC vulnerabilities in motherboards from Lenovo, Gigabyte and other vendors, and flaws in 40 device drivers from 20 vendors that can be exploited to deploy persistent malware.

Related: Hackers Can Plant Backdoors on Bare Metal Cloud Servers

Related: Servers Can Be Bricked Remotely via BMC Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet