Supermicro servers vulnerable to virtual USB attack


By Dylan Bushell-Embling
Monday, 09 September, 2019


Supermicro servers vulnerable to virtual USB attack

Security vulnerabilities in Supermicro server products have left tens of thousands of corporate servers exposed to attacks involving virtually mounting any USB device, research has found.

The vulnerabilities were discovered by security company Eclypsium and detailed at last week’s Open Source Firmware Conference in Silicon Valley. Eclypsium has collectively named the vulnerabilities USBAnywhere.

The vulnerabilities in the baseboard management controllers of Supermicro servers can allow an attacker to easily connect to the server and virtually mount any USB device remotely to the server over any network, including the internet.

Eclypsium said it had found at least 47,000 systems with their BMCs exposed to the internet in this way. But the company said the same vulnerabilities can be exploited by attackers who gain access to a private corporate network, so many more servers are potentially at risk.

The problem stems from issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media. When accessed remotely, a virtual media service allows plaintext authentication, sends most traffic unencrypted and is susceptible to an authentication bypass.

These issues collectively allow attacks to easily gain access to a server using purloined or default credentials, and in some cases, without any credentials at all.

Attackers could use the ability to remotely mount USB devices to attack servers in the same way as if they had physical access to a USB port, including loading a new operating system image or using a mounted keyboard and mouse to implant malware into the system.

Supermicro has released updated software addressing the vulnerabilities. The company also advised customers that industry best practice involves operating BMCs on private networks not exposed to the internet.

Image credit: ©.shock/Dollar Photo Club

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.

Related Articles

Measuring inefficiency

With a view to improving my 'leanness' and stop myself working so many extra hours, I...

Cybersecurity advice in the wake of Ukraine

In light of the current situation in Ukraine, the ACSC is urging all Australian organisations to...

Why major IT changes can wait

Attempting major IT changes late in the day — or week — can be a recipe for disaster.


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd