Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/3/2019
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Over 47K Supermicro Corporate Servers Vulnerable to Attack

Vulnerabilities in a remote-monitoring component give attackers a way to mount virtual USBs on systems, Eclypsium warns.

UPDATE--09/04/2019 Supermicro on Wednesday released security updates addressing the vulnerabilities in its X9, X10 and X11 server platforms.

At least 47,000 Supermicro servers are vulnerable to attack and compromise over the Internet via several security vulnerabilities in a remote monitoring and management component on the systems.

Supermicro has urged organizations using its X9, X10, and X11 platforms to block the port through which attacks can be carried out while the company works on getting a security fix issued.

The vendor has also asked impacted organizations to ensure that the vulnerable component is operating on an isolated private network and is not directly exposed to the Internet. The precaution "would reduce but not eliminate the identified exposure," Supermicro said in an advisory Tuesday.

The vulnerabilities - discovered by security vendor Eclypsium - exist in the baseboard management controllers (BMC) of Supermicro servers. They give attackers a way to remotely connect to a server, mount a virtual USB CD/DVD drive, and carry out a variety of activities including loading a new operating system image, modifying settings, dropping malware, or disabling the device entirely.

A BMC is an embedded component that allows administrators to do out-of-band monitoring of servers and desktops. BMCs have direct access to the motherboard of the host system and enable actions like remote rebooting, remote OS reinstallation, and remote log analysis. Most desktops and servers ship with BMCs on them.

"BMCs are highly privileged devices in modern systems that [also] have a poor security track record," says Rick Altherr, principal engineer at Eclypsium. Security researchers are actively looking for ways to attack BMCs because of their reputation for being riddled with vulnerabilities, he says. Over the years security researchers have discovered weaknesses in BMCs from HP, Dell, IBM, Supermicro, Oracle, Fujistu, and others.

"End users should treat them [BMCs] as vulnerable and take steps to protect them on their network," Altherr says. "For the future, server vendors need to hear from customers that BMC security is important and needs to be addressed."

According to Eclypsium, the problem it found has to with how the BMCs on Supermicro's X9, X10, and X11 servers have implemented a virtual media function designed to give users and administrators a way to remotely connect via TCP port 623 to a disk image as a virtual USB CD or DVD drive on a system.

Authentication Weaknesses

What Eclypsium's researchers discovered is that the virtual media service on the Supermicro BMCs allows plain-text authentication and sends traffic unencrypted, or only weakly encrypted, between the client and server.

The BMCs on Supermicro's X10 and X11 platforms also allow for authentication bypass entirely. Eclypsium's researchers found that when a client is properly authenticated to the virtual media service on these devices and disconnects, crucial details about that client's session are left intact. When a new client connects, it inherits the previous client's authorizations even if the new client attempts access using incorrect authentication credentials.

Together, the weaknesses give attackers a way to relatively easily gain access to a server and plug a virtual USB into it and carry out different types of malicious activity, Eclypsium said this week. Because of how Supermicro has implemented the virtual media service, an attacker can virtually mount any USB device to the server.

Attackers can gain access using a legitimate user's authentication packet by exploiting default credentials or in some cases, by bypassing authentication entirely, the security vendor said.

An Eclypsium scan of TCP port 623 showed there are more than 47,330 BMCs with the vulnerable virtual-media services that are publicly accessible. Many other vulnerable systems likely exist that are not directly accessible from the Internet, but can be exploited by attackers with access to a corporate network, Eclypsium said.

A majority of the vulnerable systems belong to US-based organizations, says Altherr.

In all, the security vendor discovered over 92,000 BMCs that are discoverable over the Internet, including the over 47,300 servers with the vulnerable virtual-services component.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'It Saved Our Community': 16 Realistic Ransomware Defenses for Cities."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...