Supermicro, the world’s fourth-largest server seller, just can’t catch a break.
This week, researchers found another major security vulnerability in its hardware. This one gives an attacker the kind of power they would have if they were physically inside your data center and could plug a USB stick filled with malicious code into a server — without having to be anywhere near the facility. The connection is fully virtual and can take place over any network, including the internet.
“At the time of writing, we found at least 47,000 systems with their BMCs [Baseboard Management Controllers] exposed to the Internet and using the relevant protocol,” the researchers said in their report. “It is important to remember that these are only the BMCs that are directly exposed to the Internet. The same issues can be easily exploited by attackers who gain access to a corporate network.”
The researchers notified Supermicro of the problem, and the company quickly responded with a fix. Firmware updates are currently available for the X9, X10, and X11 platforms on Supermicro’s Security Center page and Virtual Media Vulnerability details page.
According to Supermicro, a problem caused by the security hole has not been reported in a customer environment.