Insecure vUSB in Supermicro BMCs exposes servers to attack
A baseband management controller (BMC) is an independent micro-controller present on server motherboards that allows out-of-band management of those servers. BMCs are like small computers with their own specialised firmware that run inside, but independently of the main computer – the server itself. The BMC software is typically unique for every server manufacturer, and it presents a management interface that gives administrators full control over the server and its operating system.
The level of access that BMC interfaces provide make them highly powerful, which is why the security of BMC implementations has been scrutinised for years, and researchers have found various types of vulnerabilities affecting servers from different manufacturers.
The latest research, from firmware security company Eclypsium, looked at a feature of Supermicro BMC software called the virtual media service. This feature is intended to allow administrators to attach virtual USB devices remotely to a server through the BMC client software. The functionality is implemented through a Java application served by the BMC’s web interface.
While the feature supports and requires authentication, the Eclypsium researchers found significant weaknesses with the implementation. For one, the application allows plaintext authentication, which can be intercepted. Encryption is supported but needs to be requested by the client, not the server, and even then, only the authentication packet is encrypted with RC4, which is a weak algorithm, and with a hardcoded key that is shared by all Supermicro BMCs.
All these issues exist in Supermicro’s BMCs for X9, X10 and X11 platforms, but the X10 and X11 BMCs also have an authentication bypass vulnerability where the server keeps a client’s authorisation even after it has disconnected, so a new client authenticating with incorrect credentials can inherit it and gain access.
“If a valid administrator had used virtual media since the BMC was last powered off, the authentication bypass vulnerability would allow an attacker to connect even without the proper username and password,” the Eclypsium researchers said in their report. “Given that BMCs are intended to be always available, it is particularly rare for a BMC to be powered off or reset. As a result, the authentication bypass vulnerability is likely to be applicable unless the server has been physically unplugged or the building loses power.”
The virtual media service essentially gives clients access to a virtual USB hub to which they can attach virtual USB devices. The BMC will actually support any type of USB devices, for example a virtual CD-ROM that can be used to boot the server, a USB mass storage device to exfiltrate data from the server, or a USB keyboard to execute a series of malicious keystrokes and take control of the server in various ways. The researchers created a proof-of-concept where they exfiltrated data from a server using Facedancer, an open-source framework that allows emulating USB devices.
There are several ways to attack Supermicro servers through these vulnerabilities. If the servers are platforms X10 or X11, the authentication bypass can be used, including over the internet. However, attackers can also try default credentials, which are often left unchanged, or, if they are on the same network and can intercept traffic, they can decrypt the packets and steal the credentials.
The virtual media service runs on TCP port 623 and a scan by Eclypsium revealed 47,339 Supermicro BMCs from over 90 different countries with this service exposed directly to the internet. Of course, there are many more vulnerable servers out there than can be attacked if attackers gain access to the same network their BMCs are available on.
Patching the flaw and securing BMCs
Supermicro has released BMC updates for the affected products to address the vulnerabilities. While these updates should be deployed as soon as possible, these will not be the last flaws to be found in BMCs so companies should isolate these management interfaces.
“Given the speed with which new BMC vulnerabilities are being discovered and their incredible potential impact, there is no reason for enterprises to risk exposing them directly to the internet,” the Eclypsium researchers said. “BMCs that are not exposed to the internet should also be carefully monitored for vulnerabilities and threats. While organisations are often fastidious at applying patches for their software and operating systems, the same is often not true for the firmware in their servers.”
Even inside corporate networks, it is better to only expose these server management interfaces to a private network segment where traffic is monitored and firewalled and which only administrators can access. On such a network segment, for example, traffic to TCP port 623 could be blocked entirely, blocking access to this virtual media service and mitigating the vulnerability until updates can be deployed.
One of the reasons BMCs were created was to allow administrative tasks to be performed out of band without rebooting servers, but deploying firmware updates to the BMCs themselves requires server shutdown so have to be planned. This means they cannot be applied immediately.
“We want to thank the researchers who have identified the BMC Virtual Media vulnerability,” Super Micro Computer said in an emailed statement. “Supermicro worked closely with the researchers to validate the remediation. Industry best practice is operating BMCs on an isolated private network not exposed to the internet, which would reduce, but not eliminate the identified exposure.”
IDG News Service