Trivial-to-exploit authentication flaws can give an unsophisticated remote attacker ‘omnipotent’ control over a server and its contents.
Authentication vulnerabilities in the baseboard management controllers (BMCs) of Supermicro X9-X11 servers have been discovered that allow a remote attacker to easily connect to a server and mount any virtual USB device of their choosing.
The bugs, collectively dubbed USBAnywhere, allow an attacker to obtain credentials for the BMCs. Once obtained, an attacker can then perform a range of USB-based attacks against the server remotely, including data exfiltration, booting from untrusted OS images or direct manipulation of the system via a virtual keyboard and mouse, according to researchers at Eclypsium.
By design, BMCs are intended to allow administrators to perform out-of-band management of a server, and as a result are highly privileged components. Gaining access to them gives an attacker an avenue to potentially a trove of corporate assets.
“BMCs provide virtually omnipotent control over a server and its contents,” the researchers said in a paper released on Tuesday detailing the bugs.
They found at least 47,000 systems with their BMCs exposed to the internet and using the vulnerable protocol. However, the same issues can be easily exploited by attackers who gain access to a corporate network, meaning the attack surface is much larger than just the internet-facing systems.
“The combination of easy access and straightforward attack avenues can allow unsophisticated attackers to remotely attack some of an organization’s most valuable assets,” Eclypsium analysts said.
Emulating a USB
USBAnywhere stems from several issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media, which is an ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive.
“When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest and is susceptible to an authentication bypass,” according to the paper. “These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all.”
Once connected, the virtual media service allows the attacker to interact with the host system as a raw USB device. This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely.
“Taken together, these weaknesses open several scenarios for an attacker to gain unauthorized access to virtual media,” according to Eclypsium. “In the simplest case, an attacker could simply try the well-known default username and password for the BMC. However, even if the default password was changed, an attacker could still easily gain access. If a valid administrator had used virtual media since the BMC was last powered off, the authentication bypass vulnerability would allow an attacker to connect even without the proper username and password.”
The authentication bypass affects the Supermicro X10 and X11 platforms. After a client has properly authenticated to the virtual media service and then disconnected, some of the service’s internal state about that client is incorrectly left intact, according to Eclypsium.
“As the internal state is linked to the client’s socket file descriptor number, a new client that happens to be assigned the same socket file descriptor number by the BMC’s OS inherits this internal state,” researchers explained. “In practice, this allows the new client to inherit the previous client’s authorization even when the new client attempts to authenticate with incorrect credentials.”
Given that BMCs are intended to be always available, it is particularly rare for a BMC to be powered off or reset. “As a result, the authentication bypass vulnerability is likely to be applicable unless the server has been physically unplugged or the building loses power,” researchers noted.
Once authenticated, the user can access a virtual USB hub on the BMC.
“This virtual hub supports up to five virtual downstream devices that can be configured in almost any fashion,” researchers said. “The devices within the virtual USB hub of the Supermicro devices rely on software on the BMC to provide [the identity and type of device connecting to it]. Consequently, the BMC hardware allows the software to be any USB device. This is how the Java application can be a virtual CD-ROM drive.”
When coupled with frameworks such as Facedancer, which allow users to implement USB devices in software, an attacker can emulate any device they need to perform their chosen malicious task.
“Such a combination of functionality could allow an attacker to boot the machine from a malicious USB image, exfiltrate data over a USB mass storage device, or use a virtual USB Rubber Ducky that rapidly performs a sequence of carefully crafted keystrokes to perform virtually any other type of hacking against the BMC, the firmware, or the server it manages,” according to the research.
The vulnerabilities are getting patches on Tuesday, Sept. 3, and Eclypsium said that Supermicro quickly responded to the disclosures and “committed to providing firmware updates for their X9, X10 and X11 platforms.”
Supermicro did not immediately respond to Threatpost when asked for comment.
The bugs are the latest issue for the vendor, which specializes in green computing for data centers and cloud computing, enterprise IT, big data, high performance computing and embedded markets. It has seen its share of bad publicity since a bombshell Bloomberg report in October claimed its motherboards were bugged – something it denied happened.