Bug in Supermicro Hardware Could Let Virtual USBs Take Over Corporate Servers

Bug in Supermicro Hardware

We all know how risky it is to plug a strange or unknown USB drive or device into your computer. There could be malicious software just waiting to snatch at your computer controls and sensitive data! Luckily, if you have common sense you can avoid this major catastrophe by simply not plugging any strange devices into your computer. Unfortunately, this may no longer be enough! The creation of “virtual” USB drives can use a flaw in a remote management device, such as on you’d find in motherboard controllers, which allows any USB device to turn into a potential trojan horse.

Researchers from the firm Eclypsium recently revealed an alarming vulnerability found in Supermicro hardware at an Open Source Firmware Conference in Silicon Valley. They explained that they found vulnerabilities in some of Supermicro’s baseboard management controllers (BMCs), which are processors found on server motherboards which give hardware level management to system administrators remotely. The vulnerability tricks the server into thinking that a vetted device is directly connected. Any USB device can be used, such as a USB keyboard, which can directly command the server through the BMC (like shutting it down, downloading files, etc.,). They look completely legitimate and therefore may not be stopped with the usual security.

Specifically, Supermicro’s X9, X10, and X11 models are susceptible to weaponization. Possible actions could be to to remove data to a USB or external hard drive, replace the server’s operating system with a fake, malicious copy, or shut the server down completely. If the attacker already has corporate access, they can move laterally onto the BMC, or gain access remotely if they are left accessible on the open internet.  Researchers from Eclypsium found more than 47,000 instances of exposure.

Legitimate users of the remote management system use a virtual media web application from some device (laptop or other option) to call and access the BMC, thus giving them access to hardware. However, the authentication protections for these systems for the virtual media protocols are susceptible to a variety of attacks. Legitimate admin logins can be stored improperly, allowing the next user to input any credentials and still gain access.  Even if the protections snap shut on a login attempt, a hacker can still try to use default Supermicro credentials that aren’t frequently changed. If the attacker is already on the network, they can also intercept communication between the web app and the BMC, which is only weakly encrypted.

Eclypsium disclosed these flaws back in June and since then firmware updates for the affected units were dispatched. However, in practice BMCs tend to be slow in upgrading to the latest updates. It may be some time before vulnerabilities are completely eliminated. A Supermicro spokesperson thanked the researchers for their work and noted that, “Industry best practice is operating BMCs on an isolated private network not exposed to the internet, which would reduce, but not eliminate, the identified exposure.” The moral of the story is to keep your secured data away from open sources like the Internet, maintain proper security of your personnel and their private data/logins, and try to stay on top of latest bug and security news.

Last year, in October the Bloomberg Businessweek alleged that the Chinese military had compromised numerous Supermicro motherboards by installing a physical backdoor. Supermicro and other businesses that use its servers denied this claim.