A lot can go wrong with corporate network security, but hopefully at a minimum people know not to plug strange USB sticks into network computers. But it turns out that an attacker could exploit flaws in a type of remote management device to plug in all the "virtual" thumb drives they want. And the same type of attack can turn pretty much any USB device into a virtual trojan horse.

In new findings presented at the Open Source Firmware Conference in Silicon Valley on Tuesday, though, researchers from the security firm Eclypsium are detailing vulnerabilities in a number of Supermicro baseboard management controllers. Those are special processors installed on server motherboards to give system administrators hardware-level management powers from afar. That comes in handy when admins need to do things like load old software onto a server from a CD or upgrade an operating system from an image on an external hard drive. BMCs facilitate that without the need to physically plug anything into the server itself. The server will just think that a device is directly connected.

The researchers found, though, that the BMCs on Supermicro X9, X10, and X11 platforms contain flaws that can be exploited to weaponize this legitimate function. An attacker could potentially exfiltrate data to a thumb drive or external hard drive, replace a server's operating system with a malicious one, or even take the server down. Attackers can take advantage of the flaw when they already have corporate network access to gain deeper control by moving laterally onto a BMC. But they can also launch these attacks remotely if organizations leave their BMCs accessible on the open internet—like the more than 47,000 exposed BMCs the researchers found in a recent sweep.

"There’s an assumption in many security models that physical presence is a significant challenge. However, in our case we have the equivalent of physical presence," says Rick Altherr, Eclypsium's principal engineer. "There’s really endless possibilities with this. And BMCs are very, very common devices."

If an administrator wanted to virtually connect a USB device to a server, she would use a remote management "virtual media" web application from her laptop or other device to essentially call into the BMC and take advantage of its hardware access controls. The Eclypsium researchers found, though, that the authentication protections on the systems that run these virtual media protocols are vulnerable to numerous types of attacks.

The system can improperly store legitimate administrator logins, for instance, sometimes allowing the next user to enter any username and password and gain access. Altherr said he found this bug to be highly reliable in testing, but even if the gaping open window suddenly shuts, an attacker can still try default Supermicro credentials that often haven't been changed. And for an attacker already on the network looking to jump to the BMC, there's another option to obtain credentials by intercepting traffic between the web application and the BMC, because the connection is only protected by relatively weak encryption.

The researchers disclosed the flaws to Supermicro in June, and the company has issued firmware updates for all of the affected BMCs. Eclypsium CEO Yuriy Bulygin notes, though, that like many enterprise devices, BMCs are often slow to get firmware upgrades in practice. As a result, it will likely take time for the patches to reach the vulnerable servers.

"We want to thank the researchers who have identified the BMC Virtual Media vulnerability," a Supermicro spokesperson said in a statement. "Industry best practice is operating BMCs on an isolated private network not exposed to the internet, which would reduce, but not eliminate, the identified exposure. New versions of the BMC software address these vulnerabilities."