Supermicro servers vulnerable to virtual USB attack

Security vulnerabilities in Supermicro server products have left tens of thousands of corporate servers exposed to attacks involving virtually mounting any USB device, research has found.

The vulnerabilities were discovered by security company Eclypsium and detailed at last week’s Open Source Firmware Conference in Silicon Valley. Eclypsium has collectively named the vulnerabilities USBAnywhere.

The vulnerabilities in the baseboard management controllers of Supermicro servers can allow an attacker to easily connect to the server and virtually mount any USB device remotely to the server over any network, including the internet.

Eclypsium said it had found at least 47,000 systems with their BMCs exposed to the internet in this way. But the company said the same vulnerabilities can be exploited by attackers who gain access to a private corporate network, so many more servers are potentially at risk.

The problem stems from issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media. When accessed remotely, a virtual media service allows plaintext authentication, sends most traffic unencrypted and is susceptible to an authentication bypass.

These issues collectively allow attacks to easily gain access to a server using purloined or default credentials, and in some cases, without any credentials at all.

Attackers could use the ability to remotely mount USB devices to attack servers in the same way as if they had physical access to a USB port, including loading a new operating system image or using a mounted keyboard and mouse to implant malware into the system.

Supermicro has released updated software addressing the vulnerabilities. The company also advised customers that industry best practice involves operating BMCs on private networks not exposed to the internet.

Image credit: ©.shock/Dollar Photo Club