Supermicro Bug Could Let “Virtual USBs” Take Over Corporate Servers
Credit to Author: Lily Hay Newman| Date: Tue, 03 Sep 2019 10:00:00 +0000
A newly disclosed vulnerability in Supermicro hardware brings the threat of malicious USBs to corporate servers.
A lot can go wrong with corporate network security, but hopefully at a minimum people know not to plug strange USB sticks into network computers. But it turns out that an attacker could exploit flaws in a type of remote management device to plug in all the "virtual" thumb drives they want. And the same type of attack can turn pretty much any USB device into a virtual trojan horse.
In new findings presented at the Open Source Firmware Conference in Silicon Valley on Tuesday, though, researchers from the security firm Eclypsium are detailing vulnerabilities in a number of Supermicro baseboard management controllers. Those are special processors installed on server motherboards to give system administrators hardware-level management powers from afar. That comes in handy when admins need to do things like load old software onto a server from a CD, or upgrade an operating system from an image on an external hard drive. BMCs facilitate that without the need to physically plug anything into the server itself. The server will just think that a device is directly connected.
The researchers found, though, that the BMCs on Supermicro X9, X10, and X11 platforms contain flaws that can be exploited to weaponize this legitimate function. An attacker could potentially exfiltrate data to a thumb drive or external hard drive, replace a server's operating system with a malicious one, or even take the server down. Attackers can take advantage of the flaw when they already have corporate network access to gain deeper control by moving laterally onto a BMC. But they can also launch these attacks remotely if organizations leave their BMCs accessible on the open internet—like the more than 47,000 exposed BMCs the researchers found in a recent sweep.
"There’s an assumption in many security models that physical presence is a significant challenge. However in our case we have the equivalent of physical presence," says Rick Altherr, Eclypsium's principal engineer. "There’s really endless possibilities with this. And BMCs are very, very common devices."
If an administrator wanted to virtually connect a USB device to a server, she would use a remote management "virtual media" web application from her laptop or other device to essentially call into the BMC and take advantage of its hardware access controls. The Eclypsium researchers found, though, that the authentication protections on the systems that run these virtual media protocols are vulnerable to numerous different types of attacks.
The system can improperly store legitimate administrator logins, for instance, sometimes allowing the next user to enter any username and password and gain access. Altherr said he found this bug to be highly reliable in testing, but even if the gaping open window suddenly shuts, an attacker can still try default Supermicro credentials that often haven't been changed. And for an attacker already on the network looking to jump to the BMC, there's another option to obtain credentials by intercepting traffic between the web application and the BMC, because the connection is only protected by relatively weak encryption.
The researchers disclosed the flaws to Supermicro in June and the company has issued firmware updates for all of the affected BMCs. Eclypsium CEO Yuriy Bulygin notes, though, that like many enterprise devices, BMCs are often slow to get firmware upgrades in practice. As a result, it will likely take time for the patches to reach the vulnerable servers.
"We want to thank the researchers who have identified the BMC Virtual Media vulnerability," a Supermicro spokesperson said in a statement. "Industry best practice is operating BMCs on an isolated private network not exposed to the internet, which would reduce, but not eliminate the identified exposure. New versions of the BMC software address these vulnerabilities."
The attack has all the benefits of tricking employees into plugging malicious thumb drives into network computers without all the fuss of actually having to do it. And because an attacker can attach any USB device, she can use these same vulnerabilities to "connect" a keyboard to the server and directly give commands like shutting the server down or instructing it to boot from an external disk image.
"If you can get into an internal network BMCs are often easy to exploit—recent disclosures have shown this more and more," say Jatin Kataria, principal scientist at the embedded device security firm Red Balloon. And he adds that while large corporate networks always have (or should have) extensive intrusion detection in place, legitimate-looking connections to a BMC may fool these defenses. "I don’t think BMC was even in the enterprise threat model until recent disclosures," he says.
In an October 2018 investigation, Bloomberg Businessweek alleged that many Supermicro motherboards around the world had been compromised with a physical backdoor installed by the Chinese military. Supermicro and other tech giants that use the company's servers deny the validity of the report.
The Eclypsium researchers hope to raise awareness about the potential exposures that can come from BMCs generally, since they are privileged devices intended for remote use. They provide a genuine service to network administrators, and may aid admins in doing security upgrades. But like any such tool, these same traits can also potentially be abused by attackers.