Supermicro X9-X11 servers have got a threat. Authentication vulnerabilities in the BMC (Baseboard Management Controllers) of the server were found. And the vulnerability can easily give access to a remote attacker who can then connect with the server and stage any of the available virtual USB devices as per their choice. These bugs are called USBAnywhere.
Basically, the USBAnywhere can give access to the person attacking to any information that the attacker needs for the BMCs. As soon as the information is taken by the person attacking, this person can then attack the server remotely through the USB. The attacks can include direct manipulation of the system through the mouse and keyboard, booting from untrusted OS images, or data ex-filtration. All these discoveries have been made by the researchers at Eclypsium.
What is BMC?
To explain better, a BMC is a specialized processor that monitors the physical state of a network server, computer system or any other hardware device that communicates with the system administrator or uses sensors. It was created to let the admins perform out-of-band management of any server easily. This is the main reason why it is a very important component that resides on a corporate server. And if a hacker gets access to this, they can easily steal or even corrupt the corporate assets.
The researchers have found about 47000 servers that have had their BMCs exposed to the vulnerable protocol and the internet. In fact, it is not just an issue for the corporations that have their servers attached to the internet. In case the hacker gets access to the corporate network, which is possible in the same manner, then the corporate data would be compromised.
How can the imitation of a USB take place?
The idea of USBAnywhere comes from the many problems from the implementation of virtual media on the Supermicro X9, X10 and X11 platforms. Basically, this technology allows anyone to remotely connect a disk image as a virtual USB CD-ROM. In fact, when the server is accessed remotely with the virtual USA, the virtual media service uses a weak encryption algorithm, sends most traffic unencrypted, allows plaintext authentication and is immune to an authentication bypass.
In short, these issues allow the hacker to easily get access to the server either by using default credentials, capturing a legitimate authentication packet of a user, or in a few cases, without any credentials at all. As soon as the connection is made, the virtual media will allow the hacker to easily interact directly with the host system as a raw USB device, as if they were physically there using a USB on the system.
How does the authentication take place?
Now, let us say that the admin finds out that an outsider has attacked the server and tries to change the username and password for authentication. This will not work. It will still allow the hacker to do what they came to do. And this authentication bypass has affected the Supermicro X11 and X10 platforms.
Basically, once a client authenticates the virtual media service and then disconnects it, a part of the service’s internal state of the client is incorrectly left intact. This means that the next client who gets the socket file descriptor would get the internal state of the previous client. With this, the new client will inherit the authentication of the last client even though they try to authenticate with incorrect credentials.
Moreover, since BMCs were created to always be online, it is rare for it to be reset or powered off. This makes the hacking process much easier. So, once the hacker gets into the server after the authentication process, they can get to the BMC as a virtual USB. With these findings, Supermicro has announced to commit and create firmware for X9, X10 and X11 platforms.
The vendor is a popular one in the market and offers a lot of green computing services. But this bug discovery has created an issue for them. Let us see how they deal with it. Do share your comments about this below.