Skip to main content

Supermicro hardware can be hacked to plant fake USB drives

(Image credit: Image source: Shutterstock/Scanrail1)

Another significant security flaw has been uncovered in Supermicro hardware that could allow servers to be remotely hacked, researchers have revealed.

According to security firm Ecylpsium, at least 47,000 Supermicro severs in 90 countries have unpatched vulnerabilities in the firmware for their baseboard management controllers (BMCs) and this could leave them open to remote attacks.

BMCs are designed to allow administrators to perform out-of-band management of a server. The attack, called USBAnywhere, could be carried out against any vulnerable BMC by attackers after gaining access to a corporate network.

Attackers could be able to hijack servers to exploit vulnerabilities that could allow an attacker to connect to a server and virtually mount any USB device over the internet.

The USBAnywhere vulnerability arose from several issues in how BMCs on Supermicro's X9, X10 and X11 platforms implement virtual media which gives administrators the ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive. 

Eclypsium's researchers found that, when accessed remotely, the virtual media service allows for plaintext authentication, sends most traffic without encryption, uses a weak encryption algorithm and is susceptible to an authentication bypass.

Potential attackers could exploit these issues to gain access to a server by capturing a legitimate user's authentication packet, using default credentials or without any credentials at all in some cases. 

Once a connection has been established, the virtual media service allows an attacker to interact with the host system as if they had directly connected a USB device to it. From here, an attacker could load a new operating system image, use a keyboard and mouse to modify the server, implant malware or even disable the server entirely.

Eclypsium says it reported the flaws to Supermicro and the company has since released a patch to fix the issue.