How to Plug the Latest Supermicro Server Security Hole
The vulnerability gives attackers a way in through the internet, but that’s not the whole extent of the risk.
September 6, 2019
Supermicro, the world’s fourth-largest server seller, just can't catch a break.
This week, researchers found another major security vulnerability in its hardware. This one gives an attacker the kind of power they would have if they were physically inside your data center and could plug a USB stick filled with malicious code into a server – without having to be anywhere near the facility. The connection is fully virtual and can take place over any network, including the internet.
"At the time of writing, we found at least 47,000 systems with their BMCs [Baseboard Management Controllers] exposed to the Internet and using the relevant protocol," the researchers said in their report. "It is important to remember that these are only the BMCs that are directly exposed to the Internet. The same issues can be easily exploited by attackers who gain access to a corporate network."
The researchers notified Supermicro of the problem, and the company quickly responded with a fix. Firmware updates are currently available for the X9, X10, and X11 platforms on Supermicro’s Security Center page and Virtual Media Vulnerability details page.
According to Supermicro, a problem caused by the security hole has not been reported in a customer environment.
Earlier this year, another vulnerability in the company's BMC, the "bare metal" firmware layer of the server, enabled attackers to change the firmware. This was particularly damaging for shared environments, such as cloud data centers, where different users might be using the same machine.
That was followed in June by another report by Eclypsium, whose researcher found multiple "easily discoverable" vulnerabilities in various Supermicro systems.
For those unable to install the fix for the latest USB vulnerability, one remediation is to disable virtual media on affected machines by blocking TCP port 623.
Industry best practice is to operate BMCs on isolated private networks not exposed to the internet, Supermicro said but admitted that it would reduce but not eliminate the risk.
Data centers should install the firmware update immediately, said Chris Kennedy, CISO and VP of customer success at AttackIQ, a San Francisco-based security firm. If not, attackers could take a server offline, replace its operating system with a malicious one, and move laterally through the network of the data center it’s sitting in, he said.
BMC is a crucial piece of technology in data center management. Managing hundreds or thousands of servers – or hundreds of thousands – is impossible if you must do it by physically touching each box. The BMC allows remote control and maintenance of the server fleet.
"But with this great power comes great responsibility," said Pankaj Parekh, chief product and strategy officer at SecurityFirst. "Gaining access to the BMC means that the server can easily be compromised. Today it’s Supermicro, tomorrow it will be another vendor."
He suggested that data centers start adopting a "zero trust" approach to their networks. "Assume that every BMC is sitting exposed on the internet and provide all the protections that you would in that situation," he said.
That includes strong access controls, including eliminating any use of default passwords and encrypting traffic to prevent "man-in-the-middle" attacks.
He also suggested using policy controls to only allow BMC access by known, authorized entities, "locking out and reporting any software probing for weaknesses."
This is also a good reminder for data center managers to review their response plans, said AttackIQ's Kennedy.
To start with, they should have an asset management program, so they can quickly tell if any of their infrastructure is exposed once a vulnerability comes to light. Then, they need to have controls in place to protect the systems while the problem is addressed.
There are also other aspects to an incident response plan besides just the technical ones, he added. "How am I going to communicate to my customer about how I am going to manage this risk?"
About the Author
You May Also Like