• Quote of the week

    ““It is my firm belief that 9/11 skeptics—and true skeptics of any paradigm-shifting and taboo subject—who publicly expose lies and ‘naked emperors’ are heroes …They have suffered the ridicule and wrath of those emperors, their minions, and the just plain frightened…In our American society, many of our authority figures routinely lie to us, but nonetheless, many citizens continue to look to them for truth and safety—especially when fear is heightened. This strong tendency to believe and obey authority is another obstacle with which skeptics of the official 9/11 account must contend…By unquestioningly believing and obeying authority, we make very bad decisions, which often negatively affect others. This can be equally true for the four human proclivities studied by social psychologists: doublethink, cognitive dissonance, conformity, and groupthink.”
    – Frances Shure

Supermicro Bug Could Let ‘Virtual USBs’ Take Over Corporate Servers | WIRED

A newly disclosed vulnerability in Supermicro hardware brings the threat of malicious USBs to corporate servers.

A lot can go wrong with corporate network security, but hopefully at a minimum people know not to plug strange USB sticks into network computers. But it turns out that an attacker could exploit flaws in a type of remote management device to plug in all the “virtual” thumb drives they want. And the same type of attack can turn pretty much any USB device into a virtual trojan horse.

In new findings presented at the Open Source Firmware Conference in Silicon Valley on Tuesday, though, researchers from the security firm Eclypsium are detailing vulnerabilities in a number of Supermicro baseboard management controllers. Those are special processors installed on server motherboards to give system administrators hardware-level management powers from afar. That comes in handy when admins need to do things like load old software onto a server from a CD or upgrade an operating system from an image on an external hard drive. BMCs facilitate that without the need to physically plug anything into the server itself. The server will just think that a device is directly connected.

The researchers found, though, that the BMCs on Supermicro X9, X10, and X11 platforms contain flaws that can be exploited to weaponize this legitimate function. An attacker could potentially exfiltrate data to a thumb drive or external hard drive, replace a server’s operating system with a malicious one, or even take the server down. Attackers can take advantage of the flaw when they already have corporate network access to gain deeper control by moving laterally onto a BMC. But they can also launch these attacks remotely if organizations leave their BMCs accessible on the open internet—like the more than 47,000 exposed BMCs the researchers found in a recent sweep.

“There’s an assumption in many security models that physical presence is a significant challenge. However, in our case we have the equivalent of physical presence,” says Rick Altherr, Eclypsium’s principal engineer. “There’s really endless possibilities with this. And BMCs are very, very common devices.”

If an administrator wanted to virtually connect a USB device to a server, she would use a remote management “virtual media” web application from her laptop or other device to essentially call into the BMC and take advantage of its hardware access controls. The Eclypsium researchers found, though, that the authentication protections on the systems that run these virtual media protocols are vulnerable to numerous types of attacks.

The system can improperly store legitimate administrator logins, for instance, sometimes allowing the next user to enter any username and password and gain access. Altherr said he found this bug to be highly reliable in testing, but even if the gaping open window suddenly shuts, an attacker can still try default Supermicro credentials that often haven’t been changed. And for an attacker already on the network looking to jump to the BMC, there’s another option to obtain credentials by intercepting traffic between the web application and the BMC, because the connection is only protected by relatively weak encryption.

The researchers disclosed the flaws to Supermicro in June, and the company has issued firmware updates for all of the affected BMCs. Eclypsium CEO Yuriy Bulygin notes, though, that like many enterprise devices, BMCs are often slow to get firmware upgrades in practice. As a result, it will likely take time for the patches to reach the vulnerable servers.

“We want to thank the researchers who have identified the BMC Virtual Media vulnerability,” a Supermicro spokesperson said in a statement. “Industry best practice is operating BMCs on an isolated private network not exposed to the internet, which would reduce, but not eliminate, the identified exposure. New versions of the BMC software address these vulnerabilities.”

The attack has all the benefits of tricking employees into plugging malicious thumb drives into network computers without all the fuss of actually having to do it. And because an attacker can attach any USB device, she can use these same vulnerabilities to “connect” a keyboard to the server and directly give commands like shutting the server down or instructing it to boot from an external disk image.

“If you can get into an internal network BMCs are often easy to exploit—recent disclosures have shown this more and more,” says Jatin Kataria, principal scientist at the embedded device security firm Red Balloon. He adds that while large corporate networks always have (or should have) extensive intrusion detection in place, legitimate-looking connections to a BMC may fool these defenses. “I don’t think BMC was even in the enterprise threat model until recent disclosures,” he says.

In an October 2018 investigation, Bloomberg Businessweek alleged that many Supermicro motherboards around the world had been compromised with a physical backdoor installed by the Chinese military. Supermicro and other tech giants that use the company’s servers deny the validity of the report.

The Eclypsium researchers hope to raise awareness about the potential exposures that can come from BMCs generally, since they are privileged devices intended for remote use. They provide a genuine service to network administrators and may aid admins in doing security upgrades. But as with any such tool, these same traits can potentially be abused by attackers.

Source: Supermicro Bug Could Let ‘Virtual USBs’ Take Over Corporate Servers | WIRED

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

  • Your online freedom is just seconds away.

    Buy VPN with Bitcoin, PayPal, Credit Card | Get Your First 30 Days FREE

  • Famous Quotes In History

    "I think the subject which will be of most importance politically is mass psychology....Although this science will be diligently studied, it will be rigidly confined to the governing class. The populace will not be allowed to know how its convictions were generated."
    -- Bertrand Russell in The Impact of Science on Society  
     
    “Beware the leader who bangs the drums of war in order to whip the citizenry into a patriotic fervor, for patriotism is indeed a double-edged sword. It both emboldens the blood, just as it narrows the mind. And when the drums of war have reached a fever pitch and the blood boils with hate and the mind has closed, the leader will have no need in seizing the rights of the citizenry. Rather, the citizenry, infused with fear and blinded by patriotism, will offer up all of their rights unto the leader and gladly so. How do I know? For this is what I have done. And I am Caesar.”
    – Julius Caesar  
     
    Past Famous Quotes | Archive