Incident: Vulnerabilities in Supermicro Baseboard Management Controllers Lead to Data Breach

Published Date: 2019-09-03

Postmortem Analysis
Timeline 1. The software failure incident involving vulnerabilities in Supermicro baseboard management controllers happened in June 2019 as researchers from the security firm Eclypsium disclosed the flaws to Supermicro in June [89631].
System 1. Supermicro baseboard management controllers on X9, X10, and X11 platforms [89631]
Responsible Organization 1. Attackers exploiting flaws in Supermicro baseboard management controllers (BMCs) were responsible for causing the software failure incident [89631].
Impacted Organization 1. System administrators using Supermicro baseboard management controllers were impacted by the software failure incident [89631].
Software Causes 1. Flaws in Supermicro baseboard management controllers (BMCs) on X9, X10, and X11 platforms that could be exploited to exfiltrate data, replace a server's operating system with a malicious one, or take the server down [89631]. 2. Vulnerabilities in the authentication protections on systems running virtual media protocols, allowing for improper storage of legitimate administrator logins and potential access by next users with any username and password [89631]. 3. Weak encryption protecting the connection between the web application and the BMC, enabling attackers to intercept traffic and obtain credentials [89631].
Non-software Causes 1. Physical security vulnerabilities in Supermicro baseboard management controllers (BMCs) allowed attackers to exploit flaws in the hardware-level management powers from afar [89631]. 2. Weak encryption in the connection between the web application and the BMCs allowed attackers to intercept traffic and obtain credentials [89631]. 3. Improper storage of legitimate administrator logins in the systems running virtual media protocols allowed unauthorized access [89631]. 4. Default Supermicro credentials that often hadn't been changed provided an entry point for attackers [89631].
Impacts 1. The software failure incident allowed attackers to exploit flaws in Supermicro baseboard management controllers (BMCs) on server motherboards, potentially leading to data exfiltration, operating system replacement, or server takedown [89631]. 2. The vulnerabilities in the BMCs could be used by attackers to remotely gain deeper control over corporate networks, either with existing network access or by exploiting exposed BMCs on the open internet [89631]. 3. The incident highlighted weaknesses in authentication protections for remote management "virtual media" protocols, allowing for unauthorized access to BMCs [89631]. 4. The software failure incident exposed the risk of attackers using the vulnerabilities to virtually connect any USB device to servers, enabling them to issue commands like shutting down servers or booting from external disk images [89631]. 5. The slow process of implementing firmware updates for BMCs in practice could delay the application of patches to vulnerable servers, leaving them exposed to potential attacks [89631].
Preventions 1. Implementing strong authentication mechanisms and regularly updating default credentials could have prevented the software failure incident [89631]. 2. Keeping BMCs on an isolated private network not exposed to the internet could have reduced the exposure to attacks [89631]. 3. Ensuring timely firmware updates for BMCs to address vulnerabilities could have prevented the exploitation of flaws [89631].
Fixes 1. Firmware updates for all affected BMCs issued by Supermicro [89631].
References 1. Eclypsium researchers [89631] 2. Supermicro [89631] 3. Bloomberg Businessweek [89631] 4. Red Balloon [89631]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to vulnerabilities in Supermicro baseboard management controllers (BMCs) has happened again at the same organization, Supermicro. In October 2018, Bloomberg Businessweek alleged that many Supermicro motherboards worldwide had been compromised with a physical backdoor installed by the Chinese military, which was denied by Supermicro and other tech giants [89631]. (b) The software failure incident related to vulnerabilities in BMCs has also happened at multiple organizations. The researchers found more than 47,000 exposed BMCs in a recent sweep, indicating that this issue is not limited to a single organization but is a widespread concern across various entities that use Supermicro X9, X10, and X11 platforms [89631].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the vulnerabilities found in Supermicro baseboard management controllers (BMCs) on server motherboards. Researchers from the security firm Eclypsium detailed flaws in BMCs on Supermicro X9, X10, and X11 platforms that could be exploited to exfiltrate data, replace a server's operating system with a malicious one, or even take the server down [89631]. (b) The software failure incident related to the operation phase is highlighted by the vulnerabilities in the authentication protections on the systems that run the remote management "virtual media" protocols. These vulnerabilities allowed for improper storage of legitimate administrator logins, potentially enabling unauthorized access by the next user entering any username and password [89631].
Boundary (Internal/External) within_system (a) The software failure incident described in the article is within_system. The vulnerabilities in the Supermicro baseboard management controllers (BMCs) allowed attackers to exploit flaws within the system, enabling them to exfiltrate data, replace the server's operating system with a malicious one, or even take the server down [89631]. The flaws in the BMCs themselves, such as weak authentication protections and encryption, contributed to the software failure incident originating from within the system.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case is primarily due to non-human actions, specifically vulnerabilities in Supermicro baseboard management controllers (BMCs) that can be exploited by attackers to weaponize legitimate functions and gain unauthorized access to servers [89631]. (b) However, human actions also play a role in this incident as the vulnerabilities in the BMCs were identified and disclosed by researchers from the security firm Eclypsium, who then reported the flaws to Supermicro and prompted the issuance of firmware updates to address the vulnerabilities [89631].
Dimension (Hardware/Software) hardware, software (a) The software failure incident in the article is related to hardware, specifically vulnerabilities in Supermicro baseboard management controllers (BMCs) installed on server motherboards [89631]. (b) The software failure incident is also related to software, as the vulnerabilities in the BMCs allowed for exploitation of authentication protections and weaknesses in the virtual media protocols used for remote management [89631].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident described in the article is malicious in nature. It involves attackers exploiting vulnerabilities in Supermicro baseboard management controllers (BMCs) to gain unauthorized access and control over servers remotely. The attackers can exfiltrate data, replace the server's operating system with a malicious one, or even take the server down. The attack allows for the virtual connection of USB devices to servers, enabling attackers to trick employees into plugging in malicious devices without physical access. The vulnerabilities in the BMCs were identified by researchers from the security firm Eclypsium, who disclosed the flaws to Supermicro and highlighted the potential risks associated with BMCs being privileged devices intended for remote use [89631]. (b) The software failure incident is non-malicious in the sense that the vulnerabilities in the Supermicro BMCs were not intentionally introduced to harm the system. These flaws were identified by security researchers who responsibly disclosed them to the company, leading to the issuance of firmware updates to address the vulnerabilities. However, the slow adoption of firmware upgrades in enterprise devices like BMCs poses a challenge in mitigating the risks associated with these vulnerabilities. The incident highlights the importance of timely patching and secure configuration of devices to prevent potential exploitation by malicious actors [89631].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident was poor_decisions as it was due to contributing factors introduced by poor decisions. The vulnerabilities in Supermicro baseboard management controllers (BMCs) allowed attackers to exploit flaws in the remote management devices, potentially exfiltrate data, replace server operating systems with malicious ones, or even take servers down [89631]. The flaws in the BMCs were exploited due to weaknesses in authentication protections, improper storage of legitimate administrator logins, and relatively weak encryption, making it easier for attackers to gain unauthorized access [89631]. Additionally, the incident highlighted the slow process of getting firmware upgrades for BMCs in practice, which further exacerbated the security risks [89631].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident reported in the article is related to development incompetence. The vulnerabilities in Supermicro baseboard management controllers (BMCs) were exploited due to flaws in the authentication protections on the systems running virtual media protocols. These vulnerabilities allowed attackers to potentially exfiltrate data, replace a server's operating system with a malicious one, or take the server down [89631]. The incident highlights the importance of professional competence in developing secure software systems to prevent such exploits. (b) The software failure incident can also be attributed to accidental factors. For example, the article mentions that the authentication protections on the systems running virtual media protocols were vulnerable to numerous types of attacks, indicating accidental flaws in the design or implementation of the software [89631]. Such accidental vulnerabilities can lead to serious security breaches if not identified and addressed promptly.
Duration temporary The software failure incident described in the article is more aligned with a temporary failure rather than a permanent one. This is evident from the fact that the vulnerabilities in the Supermicro baseboard management controllers (BMCs) were identified by researchers from the security firm Eclypsium, disclosed to Supermicro in June, and firmware updates were issued for all affected BMCs by the company [89631]. The temporary nature of the failure is further emphasized by the statement that it will likely take time for the patches to reach the vulnerable servers, indicating a period during which the vulnerability exists before being fully addressed.
Behaviour crash, omission, value, byzantine, other (a) crash: The software failure incident described in the article involves the potential for a crash where an attacker could take down a server by exploiting vulnerabilities in Supermicro baseboard management controllers (BMCs) [89631]. (b) omission: The software failure incident could also involve omission as the flaws in the BMCs allowed attackers to potentially exfiltrate data, replace a server's operating system with a malicious one, or take the server down, indicating the system may omit performing its intended functions securely [89631]. (c) timing: The timing of the software failure incident could be related to the fact that attackers could exploit the vulnerabilities remotely if organizations leave their BMCs accessible on the open internet, potentially causing harm at an unexpected time [89631]. (d) value: The software failure incident could involve a failure in the system performing its intended functions incorrectly, such as allowing unauthorized access or manipulation of server operations due to the vulnerabilities in the BMCs [89631]. (e) byzantine: The software failure incident may exhibit byzantine behavior as attackers could potentially gain deeper control by moving laterally onto a BMC, indicating inconsistent responses and interactions within the system [89631]. (f) other: The software failure incident could also involve a failure in the system's security model assumptions, where physical presence was considered a significant challenge, but the vulnerabilities in the BMCs allowed attackers to exploit the system remotely, bypassing traditional security measures [89631].

IoT System Layer

Layer Option Rationale
Perception embedded_software (a) sensor: The software failure incident reported in the article is not directly related to sensor errors. It focuses on vulnerabilities in Supermicro baseboard management controllers (BMCs) that can be exploited by attackers to exfiltrate data, replace a server's operating system, or take the server down [89631]. (b) actuator: The article does not mention any failure related to actuator errors. The focus is on the vulnerabilities in BMCs that allow attackers to exploit the hardware-level management powers of the controllers [89631]. (c) processing_unit: The software failure incident discussed in the article does not involve failures related to processing errors. It primarily addresses the flaws in Supermicro BMCs that can be leveraged by attackers to gain unauthorized access and control over servers [89631]. (d) network_communication: The article highlights vulnerabilities in Supermicro BMCs that can be exploited by attackers to gain deeper control by moving laterally onto a BMC. It also mentions the risks associated with leaving BMCs accessible on the open internet, leading to potential attacks [89631]. (e) embedded_software: The software failure incident described in the article is related to vulnerabilities in the embedded software of Supermicro baseboard management controllers (BMCs). These vulnerabilities can be exploited by attackers to perform various malicious activities on servers, such as exfiltrating data or replacing the operating system [89631].
Communication connectivity_level The software failure incident described in the article [89631] is related to the connectivity level of the cyber physical system. The vulnerability in the Supermicro baseboard management controllers (BMCs) allowed attackers to exploit flaws in the authentication protections of the systems that run virtual media protocols, enabling them to gain unauthorized access to the BMCs remotely. This vulnerability was not directly related to the physical layer (link level) of the cyber physical system but rather to the network and transport layers, where weaknesses in authentication and encryption protocols were exploited by attackers to compromise the BMCs.
Application FALSE The software failure incident described in the article [89631] is related to vulnerabilities in Supermicro baseboard management controllers (BMCs) that can be exploited by attackers. These vulnerabilities allow attackers to potentially exfiltrate data, replace a server's operating system with a malicious one, or take the server down. The flaws in the BMCs can be exploited to weaponize the legitimate function of virtually connecting USB devices to servers, enabling attackers to gain deeper control over the system. The authentication protections on the systems running virtual media protocols were found to be vulnerable to various types of attacks, potentially allowing unauthorized access. This software failure incident is not directly related to the application layer of the cyber physical system as described in the question. Instead, it involves vulnerabilities in the hardware-level management powers provided by the BMCs, which are separate from application layer issues such as bugs, operating system errors, unhandled exceptions, or incorrect usage.

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident described in the article [89631] resulted in potential harm to people's property, specifically their data and server operations. Attackers could exploit vulnerabilities in Supermicro baseboard management controllers (BMCs) to exfiltrate data to a thumb drive or external hard drive, replace a server's operating system with a malicious one, or even take the server down. This could lead to significant financial losses or disruptions in business operations for organizations using the affected BMCs. The attack allowed for unauthorized access and manipulation of critical server functions, posing a threat to the integrity and security of data stored on the servers.
Domain information, finance, other (a) The software failure incident discussed in the article is related to the information industry, specifically in the context of corporate network security vulnerabilities [89631]. (h) The incident also has implications for the finance industry as it involves potential data exfiltration, operating system replacement, and server shutdown, which could impact financial institutions that rely on secure server management [89631]. (m) Additionally, the incident is relevant to other industries that utilize server management systems, as the vulnerabilities in the Supermicro baseboard management controllers could potentially affect a wide range of sectors beyond just information and finance [89631].

Sources

Back to List