9/30/2019 Supermicro: New Critical Security Flaw Lets Hackers Take Over Corporate Servers, Exfiltrate Data

3,333 views | Sep 4, 2019, 02:06am

Supermicro: New Critical Security Flaw

Lets Hackers Take Over Corporate
Servers, Exfiltrate Data
Jeb Su Subscriber
Enterprise & Cloud
Principal Analyst and Technology Futurist at Atherton Research

A new critical security flaw dubbed USBAnywhere leaves Supermicro servers vulnerable to remote... [+] GETTY

On Tuesday, at the Open Source Firmware Conference (OSFC) in Mountain View

We’ve updated our Privacy Statement to make it easier to
(Silicon Valley), Eclypsium security researcher Rick Altherr (pictured below) revealed a
navigate and understand.
new critical security flaw dubbed USBAnywhere that leaves Supermicro servers
Click here to learn more.
vulnerable to remote cyber-attacks.

https://www.forbes.com/sites/jeanbaptiste/2019/09/04/super-micro-new-critical-security-flaw-lets-hackers-take-over-corporate-servers-exfiltrate-data/#… 1/5
9/30/2019 Supermicro: New Critical Security Flaw Lets Hackers Take Over Corporate Servers, Exfiltrate Data

Maggie
@_m46s

Watching @kc8apf's USBAnywhere Supermicro BMC research.

Was excited for this one! @osfc_io

20 2:13 PM - Sep 3, 2019

See Maggie's other Tweets

This discovery is even more worrisome that Supermicro is one of the leading
manufacturers of servers used by corporations around the world, impacting both data
centers, and cloud deployments.

According to IDC's latest report on the worldwide server market, Supermicro holds the
fourth spot with 5.3% market share, tied with Huawei and Lenovo, but behind Dell, HP
Enterprise and Inspur, with 138 million servers shipped in the first quarter of 2019
alone.

Today In: Innovation

"I tested every machine in our lab and only Supermicro was affected by USBAnywhere,
We’ve
Altherr updated our Privacy Statement to make it easier to
told me.
navigate and understand.
In a nutshell, the vulnerabilities found on Supermicro's X9, X10 and X11
Click here
server motherboards—including to learn
plaintext more.
authentication, weak encryption, and
authentication bypass—allow an attacker to easily connect, over any network including
https://www.forbes.com/sites/jeanbaptiste/2019/09/04/super-micro-new-critical-security-flaw-lets-hackers-take-over-corporate-servers-exfiltrate-data/#… 2/5
9/30/2019 Supermicro: New Critical Security Flaw Lets Hackers Take Over Corporate Servers, Exfiltrate Data

the Internet, to a vulnerable server—via a privileged hardware component called the

baseboard management controller (BMC)—and add a virtual USB device to it in order,
for example, to remotely load a new operating system image or use a keyboard and
mouse to modify the server, implant malware, or even disable the server entirely.

"The types of vulnerabilities commonly found in BMCs today are the same types of
vulnerabilities that were commonly found in operating systems and applications a
decade ago," added Altherr. "It took a lot of work to educate software teams on how to
think about security and code securely. If anything, this shows that the BMC software
teams need a similar education."

Unfortunately, the combination of easy access and straightforward attack avenues allow
unsophisticated attackers to remotely compromise an organization’s most valuable
assets.

And in the proof-of-concept video below, the Eclypsium researchers demonstrated how
they were able to remotely exfiltrate data from a vulnerable Supermicro server.

USBAnywhere PoC Demo

We’ve updated our Privacy Statement to make it easier to

At the time of writing, Eclypsium found that at least 47,000 vulnerable Supermicro
navigate and understand.
servers were accessible on the Internet from over 90 different countries despite
Clickpatch
the availability of a software herehere.
to learn more.

https://www.forbes.com/sites/jeanbaptiste/2019/09/04/super-micro-new-critical-security-flaw-lets-hackers-take-over-corporate-servers-exfiltrate-data/#… 3/5
9/30/2019 Supermicro: New Critical Security Flaw Lets Hackers Take Over Corporate Servers, Exfiltrate Data

Eclypsium reported the vulnerabilities to Supermicro mid-June which took more than
month to acknowledge the issue. But it wasn't until mid-August that the Silicon Valley-
based server maker confirmed its intent to publicly release a firmware update by
September 3.

During his presentation at OSFC, Altherr shared some advice for hardware
manufacturers (OEMs) to help them improve the security of their firmware including
establishing a security response team (SRT), generate per-device default passwords and
certificates and require secure boot.

At the Open Source Firmware Conference, Rick Altherr shared this takeaway slide to help hardware ... [+] RICK ALTHER

Atherton Research Insights

The Supermicro vulnerabilities were found in the servers' low-level software also know
as firmware.

While organizations are usually quick at applying patches for their application software
We’ve updated
and operating systems,our
the Privacy Statement
same is often not trueto
formake it easier
the firmware to their servers,
inside
navigate
which is often much more andtounderstand.
fastidious patch.
Click here to learn more.
However, as noted by Eclypsium researchers, BMCs are some of the most privileged
components in enterprise technology today with the ability to provide remote, out-of-
https://www.forbes.com/sites/jeanbaptiste/2019/09/04/super-micro-new-critical-security-flaw-lets-hackers-take-over-corporate-servers-exfiltrate-data/#… 4/5
9/30/2019 Supermicro: New Critical Security Flaw Lets Hackers Take Over Corporate Servers, Exfiltrate Data

band management for servers, and with virtually omnipotent control over the server an
its content.

BMCs have also become one of the most active areas of security research due to their
importance and reputation for being riddled with vulnerabilities.

Finally, last October, a Bloomberg Businessweek report alleged that Chinese spy chips
were found on Supermicro’s motherboards which the San Jose, California-based
company strongly denied.

In an interesting twist, what Eclypsium security researchers ultimately found—with the

vulnerabilities in Supermicro's BMC firmware—is in effect an open door that can be
used by attackers to take control of a Supermicro server and use it to penetrate the
entire network of an organization in order to steal valuable information or initiate a
malware or ransomware attack.

It goes without that saying that if you have one or more of the affected Supermicro
servers in your organization you should patch them immediately.

Follow me on LinkedIn. Check out my website.

Jeb Su

Jean Baptiste "Jeb" Su is Principal Analyst and Technology Futurist at Atherton Technology Research
a global strategy and intelligence consultancy firm located in Silic... Read More

We’ve updated our Privacy Statement to make it easier to

navigate and understand.
Click here to learn more.

https://www.forbes.com/sites/jeanbaptiste/2019/09/04/super-micro-new-critical-security-flaw-lets-hackers-take-over-corporate-servers-exfiltrate-data/#… 5/5