Tens of thousands of servers worldwide powered by Supermicro motherboards are affected by a vulnerability that would allow an attacker to remotely take over them.
Researchers at firmware security firm Eclypsium discovered multiple vulnerabilities referred as
A baseboard management controller (BMC) is a specialized service processor that monitors the physical state of a computer, network server or other hardware device using sensors and communicating with the system administrator through an independent connection. The BMC is part of the Intelligent Platform Management Interface (IPMI) and is usually contained in the motherboard or main circuit board of the device to be monitored.
The issues in BMCs on Supermicro X9, X10, and X11 platforms tie the implementation of virtual media to remotely connect a disk image as a virtual USB CD-ROM or floppy drive.
When accessed remotely, the virtual media service allows
Experts explained that some BMCs are left open online and can be managed over a web interface.
The web interface used by Supermicro servers to connect the BMC allows
“Once connected, the virtual media service allows the attacker to interact with the host system as a raw USB device.” continues the post.
“This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely,”
The researchers discovered four different vulnerabilities affecting the virtual media service listening on TCP port 623 on the BMC:
“Taken together, these weaknesses open several scenarios for an attacker to gain unauthorized access to virtual media. In the simplest case, an attacker could simply try the well-known default username and password for the BMC. However, even if the default password was changed, an attacker could still easily gain access.” continues the analysis.
“If a valid administrator had used virtual media since the BMC was last powered off, the authentication bypass vulnerability would allow an attacker to connect even without the proper username and password,” the report explains.”
At the time of publishing, researchers found at least 47,000 systems with their BMCs exposed to the Internet, most of them in the United States.
Experts also warn of the possibility to exploit the same vulnerabilities by gain access to a corporate network.
“Given the speed with which new BMC vulnerabilities are being discovered and their incredible potential impact, there is no reason for enterprises to risk exposing them directly to the Internet.” concludes Eclypsium.
“BMCs that are not exposed to the Internet should also be carefully monitored for vulnerabilities and threats. While organizations are often fastidious at applying patches for their software and operating systems, the same is often not true for the firmware in their servers. “