A security group discovered a vulnerability in three models of Supermicro motherboards that could allow an attacker to remotely commandeer the server. Fortunately, a fix is already available.\nEclypsium, which specializes in firmware security, announced in its blog that it had found a set of flaws in the baseboard management controller (BMC) for three different models of Supermicro server boards: the X9, X10, and X11.\n\nBMCs are designed to permit administrators remote access to the computer so they can do maintenance and other updates, such as firmware and operating system patches. It\u2019s meant to be a secure port into the computer while at the same time walled off from the rest of the server.\nNormally BMCs are locked down within the network in order to prevent this kind of malicious access in the first place. In some cases, BMCs are left open to the internet so they can be accessed from a web browser, and those interfaces are not terribly secure. That\u2019s what Eclypsium found.\nFor its BMC management console, Supermicro uses an app called virtual media application. This application allows admins to remotely mount images from USB devices and CD or DVD-ROM drives.\nWhen accessed remotely, the virtual media service allows for plaintext authentication, sends most of the traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass, according to Eclypsium.\nEclypsium was more diplomatic than I, so I\u2019ll say it: Supermicro was sloppy.\nThese issues allow an attacker to easily gain access to a server, either by capturing a legitimate user\u2019s authentication packet, using default credentials, and in some cases, without any credentials at all.\n"This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely," Eclypsium wrote in its blog post.\nAll told, the team found four different flaws within the virtual media service of the BMC's web control interface.\nHow an attacker could exploit the Supermicro flaws\nAccording to Eclypsium, the easiest way to attack the virtual media flaws is to find a server with the default login or brute force an easily guessed login (root or admin). In other cases, the flaws would have to be targeted.\nNormally, access to the virtual media service is conducted by a small Java application served on the BMC\u2019s web interface. This application then connects to the virtual media service listening on TCP port 623 on the BMC.\u00a0A scan by Eclypsium on port 623 turned up 47,339 exposed BMCs around the world.\nEclypsium did the right thing and contacted Supermicro and waited for the vendor to release an update to fix the vulnerabilities before going public. Supermicro thanked Eclypsium for not only bringing this issue to its attention but also helping validate the fixes.\nEclypsium is on quite the roll. In July it disclosed BMC vulnerabilities in motherboards from Lenovo, Gigabyte and other vendors, and last month it\u00a0disclosed flaws in 40 device drivers from 20 vendors that could be exploited to deploy malware.