More than 47,000 Supermicro servers expose BMC ports on the Internet

More than 47,000 workstations and servers, or more, running on Supermicro motherboards are currently vulnerable to attack because administrators have left an internal component on the Internet.

These systems are vulnerable to a new set of vulnerabilities called USBAnywhere, which affects the motherboard management controller (BMC) firmware of Supermicro motherboards.

Fixes are available to fix USBAnywhere vulnerabilities, but Supermicro and security experts recommend limiting access to BMC management interfaces from the Internet as a precaution and industry best practice.

What are BMCs?

BMCs are components of the Intelligent Platform Management Interface (IPMI). IPMI is a standard set of tools that are typically found on servers and workstations deployed on enterprise networks. IPMI allows system administrators to manage systems from remote locations, at a lower level and independent of the operating system.

IPMI tools can allow a remote administrator to connect or send instructions to a PC / server and perform various operations, such as changing the operating system settings, reinstalling of the operating system or the update of the drivers.

The management controllers on the motherboard are at the heart of all IPMI remote management solutions. BMCs are microcontrollers integrated into motherboards with their own CPUs, storage system and LAN interface.

BMCs act as an interface between the server / workstation hardware and a remote system administrator. They are the component that translates all IPMI commands into instructions for local hardware and, therefore, have full control over a computer.

Because of their access, access to a BMC interface is extremely limited and they are secured with a password, usually only known to the system administrator of the company.

What are the USBAnywhere vulnerabilities

But in new research released today, Eclypsium security researchers said they discovered vulnerabilities in Supermicro's BMC firmware.

These vulnerabilities, which they called USBAnywhere, affect the virtual USB firmware feature, which allows system administrators to connect a USB drive to their own computer, but view it as a virtual USB drive connected to a managed system. remotely, transferring data from their local USB key to the remote machine. a virtual.

This feature – which is part of the larger BMC Virtual Media Service – is a small Java application served through the standard BMC Web interface that comes with Supermicro systems.

Eclypsium researchers have discovered four authentication-related issues used by this Java application:

● Clear authentication: If the Java application uses a unique session ID for authentication, the service also allows the client to use a user name and password in text. gross.
● Unencrypted network traffic – Encryption is available but must be requested by the customer. The Java application provided with the affected systems uses this encryption for initial authentication.
package, but then use unencrypted packets for all the other traffic.
● Low Encryption: When encryption is used, the payload is encrypted with RC4 using a fixed key compiled into the BMC firmware. This key is shared by all Supermicro BMCs. RC4 a
multiple published cryptographic weaknesses and its use has been prohibited in TLS (RFC7465).
● Bypass authentication (Supermicro X10 and X11 platforms only): Once a client has successfully authenticated to the virtual media service, and then disconnected, a part of the internal state of the service regarding this customer is incorrectly intact. Because the internal state is tied to the client's socket file descriptor number, a new client is assigned the same socket file descriptor number by the BMC.
The operating system inherits this internal state. In practice, this allows the new client to inherit permission from the previous client even when the new client tries to authenticate with incorrect credentials.

Supermicro has released patches

Eclypsium reported the four issues to Supermicro, and the vendor posted patches on its website for Supermicro X9, X10, and X11 cards.

"We want to thank the researchers who identified the vulnerability of BMC Virtual Media," said a spokesman for Supermicro. ZDNet in an email last week.

The supplier also stated that it was working closely with Eclypsium to validate that the patches were working as expected and that they should now be used safely.

"The key changes include encapsulating the virtual media service with TLS, removing the clear-text authentication feature, and fixing the bug that led to the authentication bypass", he said. said Rick Altherr, Senior Engineer at Eclypsium. ZDNet in an email about Supermicro patches.

The most dangerous bug

Of the four bugs, the fourth is the one that is most likely to cause problems. This bug allows a malicious hacker to make repeated connections to the virtual media service (Java application) of the BMC web interface until they land on the same server socket that is used by a legitimate administrator.

While exploiting this vulnerability seems like a matter of luck, Altherr does not recommend companies to try their luck.

"Although the exact conditions that lead to reuse of the socket number under Linux can be complex and therefore a blind chance, the user-use model of the virtual media service tends to increase. the chances, "he said. ZDNet.

"In our tests, we were able to reliably exploit the authentication bypass compared to a BMC controller several weeks after the use of the virtual media service by a legitimate user."

In this case, the attacker can interact with the BMC controller, even if he does not have the proper identification information.

The Eclypsium research team said that an attacker could "start the machine from a malicious USB image, exfiltrate data to a USB mass storage device, or use a virtual Ruby Ducky USB drive that quickly performs a sequence carefully designed strikes. " to perform virtually any other type of hacking on the BMC, the firmware or the server that it manages. "

Between 47,000 and 55,000 Supermicro BMC exhibited online

Such attacks are dangerous when done with physical access, but they are even more dangerous when done via a remote vector such as the Internet.

"An analysis of TCP port 623 on the Internet has revealed 47,339 BMC controllers from more than 90 countries with the virtual media service involved publicly available," Eclypsium researchers said.

These systems may now be attacked and potentially compromised.

Hackers can install malicious programs on these systems that can survive operating system re-installations, or even temporarily to servers, a tactic that can be used to sabotage competitors or extort ransom payments from organizations running systems with exposed BMC virtual media ports.

A BinaryEdge search performed by ZDNet Prior to the publication of this article, we found even more exposed systems, with more than 55,000 Supermicro IPMI interfaces exposing port 623 online.

The vast majority of these systems were on data center and web hosting networks, exposing these companies and their respective customers to USBAnywhere attacks.

Supermicro: install patches, remove BMCs from the Internet

"Best practice in the industry is to exploit BMCs on an isolated private network not exposed to the Internet, which would reduce, but would not eliminate the identified exposure," said a spokesman. from Supermicro. ZDNet last week.

The company recommends that customers install the latest patches to permanently mitigate the USBAnywhere attack vector.

This is not the first time security experts have warned not to let BMC / IPMI management interfaces be accessible from the Internet.

In 2013, academics found 100,000 IPMI-enabled systems from three major providers and accessed via the Internet. At the time, BMC firmware protections were not standard and all of these servers might have their versions erased with malicious versions.