The vulnerability impacts three generations of Supermicro motherboards. Fortunately, a fix is already available. Credit: IDG / Thinkstock A security group discovered a vulnerability in three models of Supermicro motherboards that could allow an attacker to remotely commandeer the server. Fortunately, a fix is already available. Eclypsium, which specializes in firmware security, announced in its blog that it had found a set of flaws in the baseboard management controller (BMC) for three different models of Supermicro server boards: the X9, X10, and X11. BMCs are designed to permit administrators remote access to the computer so they can do maintenance and other updates, such as firmware and operating system patches. It’s meant to be a secure port into the computer while at the same time walled off from the rest of the server. Normally BMCs are locked down within the network in order to prevent this kind of malicious access in the first place. In some cases, BMCs are left open to the internet so they can be accessed from a web browser, and those interfaces are not terribly secure. That’s what Eclypsium found. For its BMC management console, Supermicro uses an app called virtual media application. This application allows admins to remotely mount images from USB devices and CD or DVD-ROM drives. When accessed remotely, the virtual media service allows for plaintext authentication, sends most of the traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass, according to Eclypsium. Eclypsium was more diplomatic than I, so I’ll say it: Supermicro was sloppy. These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all. “This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely,” Eclypsium wrote in its blog post. All told, the team found four different flaws within the virtual media service of the BMC’s web control interface. How an attacker could exploit the Supermicro flaws According to Eclypsium, the easiest way to attack the virtual media flaws is to find a server with the default login or brute force an easily guessed login (root or admin). In other cases, the flaws would have to be targeted. Normally, access to the virtual media service is conducted by a small Java application served on the BMC’s web interface. This application then connects to the virtual media service listening on TCP port 623 on the BMC. A scan by Eclypsium on port 623 turned up 47,339 exposed BMCs around the world. Eclypsium did the right thing and contacted Supermicro and waited for the vendor to release an update to fix the vulnerabilities before going public. Supermicro thanked Eclypsium for not only bringing this issue to its attention but also helping validate the fixes. Eclypsium is on quite the roll. In July it disclosed BMC vulnerabilities in motherboards from Lenovo, Gigabyte and other vendors, and last month it disclosed flaws in 40 device drivers from 20 vendors that could be exploited to deploy malware. Related content news Nvidia, Google Cloud team to boost AI startups Plus, Google unveils Axion, its custom Arm-based chip for data centers, at Google Cloud Next 2024. By Andy Patrizio Apr 11, 2024 3 mins CPUs and Processors Google Cloud Next news Mainframe turns 60 with no plans for retirement Decades after some predicted its demise, the mainframe is as vital as ever, even in the era of AI. By Andy Patrizio Apr 10, 2024 3 mins Mainframes Data Center news Chipmakers report minimal disruptions from Taiwan earthquake The magnitude 7.4 earthquake struck fairly close to Taipei, which plays a vital role in the global chip supply chain. By Andy Patrizio Apr 04, 2024 2 mins CPUs and Processors news Nvidia GTC 2024 wrap-up: Blackwell not the only big news More happened at the Nvidia GTC conference than the Blackwell announcement, including the launch of two new high-speed network platforms. By Andy Patrizio Mar 29, 2024 5 mins CPUs and Processors High-Performance Computing Data Center PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe