USBAnywhere Vulnerabilities Found on Supermicro Servers Could Allow Hackers to Exploit Them Remotely

• The vulnerabilities allow attackers to obtain credentials for the Baseboard Management Controllers (BMCs) of Supermicro X9-X11 servers.
• The issue not only affects BMCs exposed on the internet but can also be exploited by attackers who gain access to corporate networks.

Multiple workstations and servers that run on Supermicro motherboards are found to be vulnerable to remote attacks. Supermicro administrators have left one of the internal components exposed on the internet and this could provide a remote attacker full power over a vulnerable server or its contents.

The vulnerabilities were collectively called “USBAnywhere” and allows attackers to obtain credentials for the Baseboard Management Controllers (BMCs) of Supermicro X9-X11 servers.

Who discovered the bugs?

Security researchers from enterprise security provider firm “Eclypsium” uncovered the vulnerabilities in the Baseboard Management Controllers (BMCs) of Supermicro servers and released a detailed report on Tuesday detailing them.

Researchers pointed out that, "At the time of writing, we found at least 47,000 systems with their BMCs exposed to the Internet and using the relevant protocol."

What are BMCs?

BMCs are components part of the Intelligent Platform Management Interface (IPMI). IPMI tools are usually found on servers and workstations deployed on enterprise networks. Using IPMI, system administrators can manage them from remote locations, at a level lower and independent from the operating system.

IPMI tools can also allow a remote administrator to connect or send instructions to a PC/server and perform various operations, such as modify OS settings, reinstall the OS, or update drivers.

What are the USBAnywhere vulnerabilities?

These vulnerabilities branch out from several issues relating to BMCs on Supermicro X9, X10, and X11 platforms implement virtual media, that provides a feature to remotely connect a disk image as a virtual USB CD-ROM or floppy drive. This feature is part of a small Java application that is served via a standard BMC web interface that ships with Supermicro-based systems.

Security researchers found four different bugs related to the authentication used by this Java application.

1. Plaintext authentication: The Java application uses two different methods for authentication. One of the methods uses a unique session ID for authentication while the other method allows clients to use a plaintext username and password for authentication.
2. Unencrypted network traffic: The Java application uses an encrypted network for initial authentication after which it uses unencrypted packages for all other traffic.
3. Weak Encryption: When the application uses encryption, the payload is encrypted with RC4 using a fixed key compiled into the BMC firmware. This key is common for all Supermicro BMCs. Also, RC4 is known to have multiple cryptographic weaknesses and has been prohibited from use in TLS (RFC7465).
4. Authentication Bypass (specific to Supermicro X10 and X11 platforms): This vulnerability allows the client to inherit the previous client’s authentication even when the new client uses incorrect credentials for login.

Risk of exploits

“This virtual hub supports up to five virtual downstream devices that can be configured in almost any fashion,” Eclypsium researchers said. “The devices within the virtual USB hub of the Supermicro devices rely on software on the BMC to provide [the identity and type of device connecting to it]. Consequently, the BMC hardware allows the software to be any USB device. This is how the Java application can be a virtual CD-ROM drive.”

In addition to that, researchers also pointed out that “It is important to remember that these are only the BMCs that are directly exposed to the Internet. The same issues can be easily exploited by attackers who gain access to a corporate network.”

Mitigation

“It is important to note that BMCs should never be directly exposed to the Internet. While the underlying issues described here would apply to connections over any network, direct exposure to the Internet greatly increases the likelihood of an attack,” researchers said.

Eclypsium reported that Supermicro has released patches for all the four vulnerabilities on its website. The fixes also include for Supermicro X9, X10, and X11 motherboards. Supermicro had also thanked Eclypsium researchers for pointing out the vulnerabilities and worked closely with Eclypsium to validate and provide intended fixes, ZDNet reported.