Enterprise servers equipped with Supermicro motherboards can be exploited remotely by virtually plugging in malicious USB devices.
The cybersecurity researchers at firmware security company Eclypsium said that it is possible to launch all types of USB attacks against vulnerable Supermicro servers without the need to physically access them or wait for your victim to use an unknown, untrusted USB drive and plug it into their computer.
The attack which is collectively dubbed as “USBAnywhere,” holds a number of newly discovered vulnerabilities in the firmware of BMC controllers permitting an unauthorized, remote attacker to connect to a Supermicro server and virtually mount malicious USB device.
A baseboard management controller (BMC) is a hardware chip at the core of Intelligent Platform Management Interface (IPMI) utilities that allows sysadmins to remotely control and monitor a server without having to access the operating system or applications running on it. It already comes with a majority of server chipsets embedded in it.
In simple BMC is an out-of-band management system that lets admins to perform actions remotely like reboot a device, analyze logs, install an operating system, and update the firmware.
One of its ability is to mount virtual media to connect a disk image as a virtual USB CD-ROM or floppy drive with a remote server.
According to a report published today by Eclypsium, BMCs on Supermicro X9, X10, and X11 platforms use an insecure implementation to authenticate the client and transport USB packets between client and server.
These weaknesses can easily be exploited by a remote attacker to bypass authentication process over virtual media service listening on TCP port 623 or intercept traffic to recover weakly encrypted BMC credentials or totally unencrypted credentials.
The weaknesses include Plaintext Authentication, Unencrypted Network Traffic, Weak Encryption and Authentication Bypass (X10 and X11 platforms only).
The researcher states that while accessing remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass.
These issues let a hacker to easily gain access to a server, either by getting a legitimate user’s authentication packet or using default credentials.
After getting connected the compromised virtual media service allows the attackers to interact with the host system as a raw USB device, thereby letting them to perform everything that can be done with physical access to a USB port, including data exfiltration, implant malware, booting from untrusted OS images, direct manipulation of the system via a virtual keyboard and mouse, and disable the device entirely.
A scan of TCP port 623 across the Internet revealed more than 47,000 BMCs from over 90 different countries with the affected BMC firmware virtual media service publicly accessible.
It is also possible to exploit these vulnerabilities by an attacker who has access to a closed corporate network or man-in-the-middle attackers within the client-side networks.
These findings were reported to Supermicro in June and July this year for which the company acknowledged in August and publicly released a firmware update for their X9, X10 and X11 platforms before September 3rd.
All the enterprises are adviced to update their BMC firmware at the earliest. Also, it is important to ensure that BMCs should never be directly exposed to the Internet because a direct exposure to the Internet increases the chance of such attacks.