Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/3/2019
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Over 47K Supermicro Corporate Servers Vulnerable to Attack

Vulnerabilities in a remote-monitoring component give attackers a way to mount virtual USBs on systems, Eclypsium warns.

UPDATE--09/04/2019 Supermicro on Wednesday released security updates addressing the vulnerabilities in its X9, X10 and X11 server platforms.

At least 47,000 Supermicro servers are vulnerable to attack and compromise over the Internet via several security vulnerabilities in a remote monitoring and management component on the systems.

Supermicro has urged organizations using its X9, X10, and X11 platforms to block the port through which attacks can be carried out while the company works on getting a security fix issued.

The vendor has also asked impacted organizations to ensure that the vulnerable component is operating on an isolated private network and is not directly exposed to the Internet. The precaution "would reduce but not eliminate the identified exposure," Supermicro said in an advisory Tuesday.

The vulnerabilities - discovered by security vendor Eclypsium - exist in the baseboard management controllers (BMC) of Supermicro servers. They give attackers a way to remotely connect to a server, mount a virtual USB CD/DVD drive, and carry out a variety of activities including loading a new operating system image, modifying settings, dropping malware, or disabling the device entirely.

A BMC is an embedded component that allows administrators to do out-of-band monitoring of servers and desktops. BMCs have direct access to the motherboard of the host system and enable actions like remote rebooting, remote OS reinstallation, and remote log analysis. Most desktops and servers ship with BMCs on them.

"BMCs are highly privileged devices in modern systems that [also] have a poor security track record," says Rick Altherr, principal engineer at Eclypsium. Security researchers are actively looking for ways to attack BMCs because of their reputation for being riddled with vulnerabilities, he says. Over the years security researchers have discovered weaknesses in BMCs from HP, Dell, IBM, Supermicro, Oracle, Fujistu, and others.

"End users should treat them [BMCs] as vulnerable and take steps to protect them on their network," Altherr says. "For the future, server vendors need to hear from customers that BMC security is important and needs to be addressed."

According to Eclypsium, the problem it found has to with how the BMCs on Supermicro's X9, X10, and X11 servers have implemented a virtual media function designed to give users and administrators a way to remotely connect via TCP port 623 to a disk image as a virtual USB CD or DVD drive on a system.

Authentication Weaknesses

What Eclypsium's researchers discovered is that the virtual media service on the Supermicro BMCs allows plain-text authentication and sends traffic unencrypted, or only weakly encrypted, between the client and server.

The BMCs on Supermicro's X10 and X11 platforms also allow for authentication bypass entirely. Eclypsium's researchers found that when a client is properly authenticated to the virtual media service on these devices and disconnects, crucial details about that client's session are left intact. When a new client connects, it inherits the previous client's authorizations even if the new client attempts access using incorrect authentication credentials.

Together, the weaknesses give attackers a way to relatively easily gain access to a server and plug a virtual USB into it and carry out different types of malicious activity, Eclypsium said this week. Because of how Supermicro has implemented the virtual media service, an attacker can virtually mount any USB device to the server.

Attackers can gain access using a legitimate user's authentication packet by exploiting default credentials or in some cases, by bypassing authentication entirely, the security vendor said.

An Eclypsium scan of TCP port 623 showed there are more than 47,330 BMCs with the vulnerable virtual-media services that are publicly accessible. Many other vulnerable systems likely exist that are not directly accessible from the Internet, but can be exploited by attackers with access to a corporate network, Eclypsium said.

A majority of the vulnerable systems belong to US-based organizations, says Altherr.

In all, the security vendor discovered over 92,000 BMCs that are discoverable over the Internet, including the over 47,300 servers with the vulnerable virtual-services component.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'It Saved Our Community': 16 Realistic Ransomware Defenses for Cities."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.