Flaw found in Supermicro motherboards could allow for remote hijacking

A security group discovered a vulnerability in three models of Supermicro motherboards that could allow an attacker to remotely commandeer the server. Fortunately, a fix is already available.

Eclypsium, which specializes in firmware security, announced in its blog that it had found a set of flaws in the baseboard management controller (BMC) for three different models of Supermicro server boards: the X9, X10, and X11.

BMCs are designed to permit administrators remote access to the computer so they can do maintenance and other updates, such as firmware and operating system patches. It’s meant to be a secure port into the computer while at the same time walled off from the rest of the server.

Normally BMCs are locked down within the network in order to prevent this kind of malicious access in the first place. In some cases, BMCs are left open to the internet so they can be accessed from a web browser, and those interfaces are not terribly secure. That’s what Eclypsium found.

For its BMC management console, Supermicro uses an app called virtual media application. This application allows admins to remotely mount images from USB devices and CD or DVD-ROM drives.

When accessed remotely, the virtual media service allows for plaintext authentication, sends most of the traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass, according to Eclypsium.

Eclypsium was more diplomatic than I, so I’ll say it: Supermicro was sloppy.

These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all.

“This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely,” Eclypsium wrote in its blog post.

All told, the team found four different flaws within the virtual media service of the BMC’s web control interface.

How an attacker could exploit the Supermicro flaws

According to Eclypsium, the easiest way to attack the virtual media flaws is to find a server with the default login or brute force an easily guessed login (root or admin). In other cases, the flaws would have to be targeted.

Normally, access to the virtual media service is conducted by a small Java application served on the BMC’s web interface. This application then connects to the virtual media service listening on TCP port 623 on the BMC. A scan by Eclypsium on port 623 turned up 47,339 exposed BMCs around the world.

Eclypsium did the right thing and contacted Supermicro and waited for the vendor to release an update to fix the vulnerabilities before going public. Supermicro thanked Eclypsium for not only bringing this issue to its attention but also helping validate the fixes.

Eclypsium is on quite the roll. In July it disclosed BMC vulnerabilities in motherboards from Lenovo, Gigabyte and other vendors, and last month it disclosed flaws in 40 device drivers from 20 vendors that could be exploited to deploy malware.