Researchers from an enterprise firmware security startup have found an issue with a key component in various Supermicro motherboards that could allow attackers to remotely access some of an organization’s most valuable assets.
Issues in the baseboard management controllers of Supermicro’s X9, X10 and X11 platforms that could allow an attacker to easily connect to a server and mount a virtual disk drive to the BMC, according to researchers from Eclypsium. After mounting a drive, an attacker could modify a server, implant malware, or even disable the device entirely.
“Threats operating at this level can easily subvert traditional security measures and put the device and the integrity of all its data at risk,” Eclypsium notes in its research, which was released Tuesday. “As such, organizations should begin to treat these layers of security with the attention that it deserves.”
The BMC is a processor that measures the physical state of a computer and gathers information on internal machine particulars like temperature and power supply. It’s common for system administrators to remotely access BMCs to make various adjustments to servers.
According to Eclypsium, the process by which Supermicro’s BMCs connect with a virtual drive is filled with errors. The Java application that authenticates the connection allows the client to use a plaintext username and password. From there, the BMC sends most of its traffic as unencrypted or uses the weak RC4 encryption algorithm when users choose to encrypt the traffic.
In the X10 and X11 models, an additional error in the way the BMC stores info about virtual connection sessions could allow someone to bypass authentication on a future connection.
Once these credentials are stolen, malicious hackers can use a host of different tools to launch a bevy of attacks against the BMC itself, other firmware or the entire targeted server.
“This vulnerability further highlights the importance of monitoring and securing servers beyond the scope of the operating system and applications they run,” the researchers write.
Making the problem worse is researchers finding the amount of BMCs directly connected to the internet. In a search of TCP port 623 (the port by which a virtual USB connects to the BMC) on Shodan, a search tool for internet-connected devices, Eclypsium researchers found 47,000 systems with their BMCs exposed to the Internet and using the relevant protocol.
“Given the speed with which new BMC vulnerabilities are being discovered and their incredible potential impact, there is no reason for enterprises to risk exposing them directly to the Internet,” researchers wrote.
Eclypsium has made Supermicro aware of the issues, and has been told by the firmware maker that updates for the X9, X10 and X11 platforms have been issued.
“We want to thank the researchers who have identified the BMC virtual media vulnerability,” Supermicro said in response to questions from CyberScoop. “Industry best practice is operating BMCs on an isolated private network not exposed to the internet, which would reduce, but not eliminate the identified exposure.”