SECURITY
SECURITY
SECURITY
Patch now: Supermicro server vulnerabilities open the door to hackers
More than 47,000 servers manufactured by Super Micro Computer Inc. are open to hacking following the discovery of a new set of vulnerabilities that affect the management control firmware used on some the firm’s motherboards.
Dubbed “USBAnywhere” by security researchers at Eclypsium Inc., the vulnerabilities, found on Supermicro’s X9, X10 and X11 boards, can allow an attacker to mount a “virtual” USB drive. The attack can be undertaken remotely and opens the door for a hacker to implant malware, change server settings and more.
“Threats operating at this level can easily subvert traditional security measures and put the device and the integrity of all its data at risk,” the Eclypsium researchers explained. “As such, organizations should begin to treat these layers of security with the attention that it deserves.”
The USBAnywhere vulnerabilities stem from a series of errors made by Supermicro when designing a Java application used by the baseboard management controllers in the servers. It was found that the application allows for plain-text authentication, does not encrypt network traffic by fault and even when a client switches encryption on, the encryption used is weak and can be cracked.
In addition, authentication bypasses are left in place after a client has properly authenticated to the virtual media service and then disconnected. “As the internal state is linked to the client’s socket file descriptor number, a new client that happens to be assigned the same socket file descriptor number by the BMC’s OS inherits this internal state,” the researchers noted.
Eclypsium did disclose the USBAnywhere vulnerabilities to Supermicro before going public and the company is said to have responded quickly, collaborating with Eclypsium to develop a fix for the vulnerabilities.
Those fixes are available from Supermicro’s Security Center and all organizations using the Supermicro X, X10 and X11 are encouraged to patch their servers as soon as possible. That said, the concern is that some Supermicro customers may not be aware of the vulnerabilities and the need to patch their servers.
The news comes nearly a year after a Bloomberg report claimed that Supermicro’s motherboards included Chinese spy chips. The company strongly denied the allegation, releasing an audit in December that found no evidence of the alleged spy chips.
Photo: Pixabay
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
