High-tech manufacturer Supermicro this week issued an update for its baseboard management controller (BMCs) software, after researchers found a series of vulnerabilities that remote attackers could exploit to mount USB devices to affected servers over any network connection, including the internet.

The bugs affect Supermicro's X9, X10, X11, H11 and H12 servers, and are found specifically within the BMC/IMPI Virtual Media function, which normally enables users to attach a disk image to the server as a virtual CD/DVD or floppy drive.

However, "When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass," warns a Sept. 3 blog post from Eclypsium, whose researchers uncovered the vulnerabilities and collectively named them USBAnywhere. "These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all."

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.