Network Security, Patch/Configuration Management, Vulnerability Management

Supermicro fixes BMC software flaws that expose servers to virtual USB attacks

High-tech manufacturer Supermicro this week issued an update for its baseboard management controller (BMCs) software, after researchers found a series of vulnerabilities that remote attackers could exploit to mount USB devices to affected servers over any network connection, including the internet.

The bugs affect Supermicro's X9, X10, X11, H11 and H12 servers, and are found specifically within the BMC/IMPI Virtual Media function, which normally enables users to attach a disk image to the server as a virtual CD/DVD or floppy drive.

However, "When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass," warns a Sept. 3 blog post from Eclypsium, whose researchers uncovered the vulnerabilities and collectively named them USBAnywhere. "These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all."

Such unauthorized access could then allow adversaries to "interact with the host system as a raw USB device," Eclypsium explains, and attack the server is if they actually had physical access to USB ports. Attackers could theoretically load a new operating system image or use a keyboard and mouse "to modify the server, implant malware, or even disable the device entirely."

After downloading the software updates, users can further mitigate the problems by operating BMCs on an isolated private network (and not the internet), and disabling Virtual Media by blocking TCP port 623, Supermicro recommends its own online vulnerability advisory.

At the time Eclypsium published its blog post, its researchers were aware of at least 47,000 systems with their BMCs exposed to the internet and using the affected protocol.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.