USBAnywhere vulnerabilities put Supermicro servers at risk

Security researchers discovered a set of vulnerabilities in Supermicro servers that could allow threat actors to remotely attack systems as if they had physical access to the USB ports.

Researchers at Eclypsium, based in Beaverton, Ore., discovered flaws in the baseboard management controllers (BMCs) of Supermicro servers and dubbed the set of issues "USBAnywhere." The researchers said authentication issues put servers at risk because "BMCs are intended to allow administrators to perform out-of-band management of a server, and as a result are highly privileged components.

"The problem stems from several issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media, an ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive. When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass," the researchers wrote in a blog post. "These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user's authentication packet, using default credentials, and in some cases, without any credentials at all."

The USBAnywhere flaws make it so the virtual USB drive acts in the same way a physical USB would, meaning an attacker could load a new operating system image, deploy malware or disable the target device. However, the researchers noted the attacks would be possible on systems where the BMCs are directly exposed to the internet or if an attacker already has access to a corporate network.

Rick Altherr, principal engineer at Eclypsium, told SearchSecurity, "BMCs are one of the most privileged components on modern servers. Compromise of a BMC practically guarantees compromise of the host system as well."

Eclypsium said there are currently "at least 47,000 systems with their BMCs exposed to the internet and using the relevant protocol." These systems would be at additional risk because BMCs are rarely powered off and the authentication bypass vulnerability can persist unless the system is turned off or loses power.

Altherr said he found the USBAnywhere vulnerabilities because he "was curious how virtual media was implemented across various BMC implementations," but Eclypsium found that only Supermicro systems were affected.

According to the blog post, Eclypsium reported the USBAnywhere flaws to Supermicro on June 19 and provided additional information on July 9, but Supermicro did not acknowledge the reports until July 29.

"Supermicro engaged with Eclypsium to understand the vulnerabilities and develop fixes. Supermicro was responsive throughout and worked to coordinate availability of firmware updates to coincide with public disclosure," Altherr said. "While there is always room for improvement, Supermicro responded in a way that produced an amicable outcome for all involved."

Altherr added that customers should "treat BMCs as a vulnerable device. Put them on an isolated network and restrict access to only IT staff that need to interact with them."

Supermicro noted in its security advisory that isolating BMCs from the internet would reduce the risk to USBAnywhere but not eliminate the threat entirely . Firmware updates are currently available for affected Supermicro systems, and in addition to updating, Supermicro advised users to disable virtual media by blocking TCP port 623.