USBAnywhere Supermicro IPMI Virtual Media Vulnerability
On September 3, 2019 (US time) Eclypsium published information about an IPMI vulnerability of Supermicro BMCs during the Open Source Firmware Conference 2019. Using the function Virtual Media it is possible to remotely mount a USB device without special authentication and thus transfer malicious code to the server.
Problem
Eclypsium researchers have demonstrated that a vulnerability in the Virtual Media feature allows virtual USB devices to be remotely attached to a server without prior authentication, thus transferring potential malware to the server.[1]
Solution
Operate IPMI not openly in the Internet
As best practice, Thomas-Krenn generally recommends that all administrative accesses such as SSH login, remote desktop connections or IPMI ports should not be operated openly on the Internet, but only in a protected network. In such cases there is no immediate risk. You will find information on this in the following places:
- IPMI Best Practices (Thomas-Krenn-Wiki, German)
- 7 points for more security in dealing with IPMI (TKmag, German, 04.07.2016)
- IPMI Security - Best Practices (Thomas-Krenn Webinar Recording, German, 03.11.2014)
Disable Virtual Media Function
To prevent access to the Virtual Media interface, we recommend deactivating the Virtual Media function in the IPMI web interface under Configuration -> Ports -> Virtual Media until a new firmware is available.
Firmware Update
For information on available firmware updates, refer to the IPMI Security Updates article.
Further Information
- BMC/IPMI Security Vulnerability (www.supermicro.com)
- Security Vulnerabilities Table (www.supermicro.com)
- USBAnywhere-Bug exposes Supermicro Server to remote attacks (www.heise.de, 04.09.2019)
References
- ↑ Virtual Media Vulnerability in BMC Opens Servers to Remote Attack (eclypsium.com, 03.09.2019)
Author: Werner Fischer Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.
|