The disclose vulnerability in Supermicro hardware has brought threat of malicious USBs to the corporate servers. An attacker can exploit flaws in a type of remote management device to plug in all the virtual thumb drives they want. At the same time, the same type of the attack can turn any USB device into a virtual trojan horse.
According the findings that was presented during the Open Source Firmware Conference in Silicon Valley, on September 3rd to 6th 2019, researchers from the security firm Eclypsium detailed vulnerabilities of the Supermicro baseboard management controllers.
They are special processors that are installed on server motherboards to provide the system administrators power and access at the hardware management level. The access power allows admin to load old software onto the server from the CD or even to upgrade an OS from an image on external hard drive.
Without an physical plug into anything server itself, BMCs facilitate the accessibility as the server would assume that the device is directly connected. The BMCs on the X9, X10, X11 of the Supermicro platforms have flaws that can be exploited to weaponize this function.
An attacker can exfiltrate data to a thumb drive or an external hard drive and then get to replace a server’s operating systems with a malicious one. The attacker can also be able to take the server down.
Attacker easily take advantage of the flaw when they have corporate network access to gain deeper control by moving onto a BMC. The attacker can also launch these attacks remotely, if corporates leave their BMCs accessible on the open internet.
If an administrator wanted to connect a USB virtually to a server, he/she would use a remote management virtual media web application from their laptop to call into the BMC and take advantage of the hardware access controls.
Eclypsium researcher managed to raise awareness about the potential exposures of using the BMCs identified. The Supermicro spokesperson confirmed that the new versions of the BMCs software do address these vulnerabilities.
If you have any questions, do not hesitate to contact us.
tech-authority 