New USBAnywhere Vulnerabilities Leave Supermicro Server BMCs Open to Remote Attack

More than 47,000 Supermicro servers in 90 countries have new vulnerabilities, collectively dubbed USBAnywhere, in their baseboard management controllers (BMCs), reports cyber security company Eclypsium.

These vulnerabilities "can allow an attacker to connect to a server and mount any USB device of their choosing to the server, remotely over any network including the Internet."

Numerous issues have been found in the way BMCs on Supermicro X9, X10 and X11 platforms implement virtual media, an ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive.

When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass. These issues allow an attacker to gain access to a server by capturing a legitimate user’s authentication packet or using default credentials. In some cases, it can do this without any credentials at all.

Once connected, the virtual media service allows the attacker to interact with the host system as a raw USB device. Access to the virtual media service is usually facilitated by a Java application served by the BMC’s web interface, which connects to the virtual media service listening on TCP port 623 on the BMC. The service uses a custom packet-based format to authenticate the client and transport USB packets between client and server.

Eclypsium's analysis of the authentication revealed several issues:

1. Plaintext Authentication: While the Java application uses a unique session ID for authentication, the service also allows the client to use a plaintext username and password.

2. Unencrypted network traffic: Encryption is available but must be requested by the client. The Java application provided with the affected systems use this encryption for the initial authentication packet but then use unencrypted packets for all other traffic.

3. Weak encryption: When encryption is used, the payload is encrypted with RC4 using a fixed key compiled into the BMC firmware. This key is shared across all Supermicro BMCs. RC4 has multiple published cryptographic weaknesses and has been prohibited from use in TLS (RFC7465).

4. Authentication Bypass (X10 and X11 platforms only): After a client has properly authenticated to the virtual media service and then disconnected, some of the service’s internal state about that client is incorrectly left intact. As the internal state is linked to the client’s socket file descriptor number, a new client that happens to be assigned the same socket file descriptor number by the BMC’s OS inherits this internal state. In practice, this allows the new client to inherit the previous client’s authorization even when the new client attempts to authenticate with incorrect credentials.

The fourth is the most troublesome, writes ZDNet, as it "allows a hacker to initiate repeated connections to the BMC web interface's virtual media service (Java app) until they land on the same server socket that was used by a legitimate admin."

While this may seem a bit hit'n'miss, Eclypsium note that "when coupled with frameworks that allow users to implement USB devices in software, an attacker can emulate any device they need. Such a combination of functionality could allow an attacker to boot the machine from a malicious USB image, exfiltrate data over a USB mass storage device, or use a virtual USB Rubber Ducky that rapidly performs a sequence of carefully crafted keystrokes to perform virtually any other type of hacking against the BMC, the firmware, or the server it manages."

In the wake of Eclypsium's findings, Supermicro released patches on its website for Supermicro X9, X10, and X11 boards.

"Operate BMCs on an isolated private network not exposed to the internet. (This) would reduce, but not eliminate the identified exposure," a Supermicro spokesperson told ZDNet. "Install the latest patches to completely mitigate the USBAnywhere attack vector for good."

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.