More than 47,000 servers manufactured by Super Micro Computer Inc. are open to hacking following the discovery of a new set of vulnerabilities that affect the management control firmware used on some the firm’s motherboards.

Dubbed “USBAnywhere” by security researchers at Eclypsium Inc., the vulnerabilities, found on Supermicro’s X9, X10 and X11 boards, can allow an attacker to mount a “virtual” USB drive. The attack can be undertaken remotely and opens the door for a hacker to implant malware, change server settings and more.

“Threats operating at this level can easily subvert traditional security measures and put the device and the integrity of all its data at risk,” the Eclypsium researchers explained. “As such, organizations should begin to treat these layers of security with the attention that it deserves.”

The USBAnywhere vulnerabilities stem from a series of errors made by Supermicro when designing a Java application used by the baseboard management controllers in the servers. It was found that the application allows for plain-text authentication, does not encrypt network traffic by fault and even when a client switches encryption on, the encryption used is weak and can be cracked.

In addition, authentication bypasses are left in place after a client has properly authenticated to the virtual media service and then disconnected. “As the internal state is linked to the client’s socket file descriptor number, a new client that happens to be assigned the same socket file descriptor number by the BMC’s OS inherits this internal state,” the researchers noted.

Eclypsium did disclose the USBAnywhere vulnerabilities to Supermicro before going public and the company is said to have responded quickly, collaborating with Eclypsium to develop a fix for the vulnerabilities.

Those fixes are available from Supermicro’s Security Center and all organizations using the Supermicro X, X10 and X11 are encouraged to patch their servers as soon as possible. That said, the concern is that some Supermicro customers may not be aware of the vulnerabilities and the need to patch their servers.

The news comes nearly a year after a Bloomberg report claimed that Supermicro’s motherboards included Chinese spy chips. The company strongly denied the allegation, releasing an audit in December that found no evidence of the alleged spy chips.

Photo: Pixabay