Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/3/2019
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Over 47K Supermicro Corporate Servers Vulnerable to Attack

Vulnerabilities in a remote-monitoring component give attackers a way to mount virtual USBs on systems, Eclypsium warns.

UPDATE--09/04/2019 Supermicro on Wednesday released security updates addressing the vulnerabilities in its X9, X10 and X11 server platforms.

At least 47,000 Supermicro servers are vulnerable to attack and compromise over the Internet via several security vulnerabilities in a remote monitoring and management component on the systems.

Supermicro has urged organizations using its X9, X10, and X11 platforms to block the port through which attacks can be carried out while the company works on getting a security fix issued.

The vendor has also asked impacted organizations to ensure that the vulnerable component is operating on an isolated private network and is not directly exposed to the Internet. The precaution "would reduce but not eliminate the identified exposure," Supermicro said in an advisory Tuesday.

The vulnerabilities - discovered by security vendor Eclypsium - exist in the baseboard management controllers (BMC) of Supermicro servers. They give attackers a way to remotely connect to a server, mount a virtual USB CD/DVD drive, and carry out a variety of activities including loading a new operating system image, modifying settings, dropping malware, or disabling the device entirely.

A BMC is an embedded component that allows administrators to do out-of-band monitoring of servers and desktops. BMCs have direct access to the motherboard of the host system and enable actions like remote rebooting, remote OS reinstallation, and remote log analysis. Most desktops and servers ship with BMCs on them.

"BMCs are highly privileged devices in modern systems that [also] have a poor security track record," says Rick Altherr, principal engineer at Eclypsium. Security researchers are actively looking for ways to attack BMCs because of their reputation for being riddled with vulnerabilities, he says. Over the years security researchers have discovered weaknesses in BMCs from HP, Dell, IBM, Supermicro, Oracle, Fujistu, and others.

"End users should treat them [BMCs] as vulnerable and take steps to protect them on their network," Altherr says. "For the future, server vendors need to hear from customers that BMC security is important and needs to be addressed."

According to Eclypsium, the problem it found has to with how the BMCs on Supermicro's X9, X10, and X11 servers have implemented a virtual media function designed to give users and administrators a way to remotely connect via TCP port 623 to a disk image as a virtual USB CD or DVD drive on a system.

Authentication Weaknesses

What Eclypsium's researchers discovered is that the virtual media service on the Supermicro BMCs allows plain-text authentication and sends traffic unencrypted, or only weakly encrypted, between the client and server.

The BMCs on Supermicro's X10 and X11 platforms also allow for authentication bypass entirely. Eclypsium's researchers found that when a client is properly authenticated to the virtual media service on these devices and disconnects, crucial details about that client's session are left intact. When a new client connects, it inherits the previous client's authorizations even if the new client attempts access using incorrect authentication credentials.

Together, the weaknesses give attackers a way to relatively easily gain access to a server and plug a virtual USB into it and carry out different types of malicious activity, Eclypsium said this week. Because of how Supermicro has implemented the virtual media service, an attacker can virtually mount any USB device to the server.

Attackers can gain access using a legitimate user's authentication packet by exploiting default credentials or in some cases, by bypassing authentication entirely, the security vendor said.

An Eclypsium scan of TCP port 623 showed there are more than 47,330 BMCs with the vulnerable virtual-media services that are publicly accessible. Many other vulnerable systems likely exist that are not directly accessible from the Internet, but can be exploited by attackers with access to a corporate network, Eclypsium said.

A majority of the vulnerable systems belong to US-based organizations, says Altherr.

In all, the security vendor discovered over 92,000 BMCs that are discoverable over the Internet, including the over 47,300 servers with the vulnerable virtual-services component.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'It Saved Our Community': 16 Realistic Ransomware Defenses for Cities."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1817
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
CVE-2013-2091
PUBLISHED: 2019-11-20
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
CVE-2012-1257
PUBLISHED: 2019-11-20
Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.
CVE-2013-1816
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.
CVE-2011-4455
PUBLISHED: 2019-11-20
Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.