Virtual Media Vulnerability in BMC Opens Servers to Remote Attack (Sep 3, 2019)
Eclypsium researchers have published research discussing a vulnerability, dubbed “USBAnywhere,” that affects Baseboard Management Controllers (BMCs) on Supermicro’s X9, X10 and X11 servers. A BMC is a special processor used to monitor the physical state of hardware. USBAnywhere takes advantage of several multiple problems in the way BMCs handle access to virtual media, which is typically managed by a Java application. Researchers found that the weaknesses of BMC’s Java application, which connects to a virtual media service on TCP port 623, include: authentication bypass, plaintext authentication, unencrypted network traffic, and weak encryption. Exploitation results in the ability “to easily connect to a server and virtually mount any USB device of their choosing to the server, remotely over any network including the Internet.” At the time of this writing, researchers found approximately 47,000 systems that had BMCs connected to the internet.
Recommendation: This story shows the need for patch-application policies to be in place to avoid potential malicious activity, especially if your company uses systems that are connected to the internet. In addition, this vulnerability could be exploited by threat actors inside corporate networks after initial infection was gained in another manner, such as a phishing email or exploiting a different vulnerability. Furthermore, Eclypsium shared their findings with Supermicro, and the company was able to create a patch to fix this vulnerability.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.