Nutanix IPMI Virtual USB-Anywhere Vulnerability

Nutanix SuperMicro IPMI / BMC Virtual Media USB Anywhere Vulnerability

Nutanix released security advisory #0016 for Nutanix NX hardware IPMI / BMC Virtual media / hardware USB-Anywhere vulnerability after SuperMicro (SMC) disclosed a medium severity vulnerability in their Baseboard Management Controller (BMC) firmware for their X9, X10 and X11 based server products, same vulnerability reported by multiple media outlets of the findings by security researchers at Eclypsium around a virtual media vulnerability within certain Supermicro (SMC) Baseboard Management Controller (BMC) versions.

Dubbed USB-Anywhere, this vulnerability takes advantage of weak or non-existent encryption during authentication with the virtual media service running on tcp and udp port 623 within the BMC. more info ref. Nutanix Infra Security Network Port Number list.

Information on Vulnerabilities

CVE IDs and their corresponding CVSS scores are not currently available from SMC. Leveraging this vulnerability relies on a few factors. Note that knowledge of authentication credentials is unnecessary so long as a valid account has accessed the service since it was last powered on.

This is due to a lingering state issue within the BMC for the Virtual Media service that allows for authentication bypass if a client happens to connect with the same socket file descriptor and information as a previously valid client.

Additionally, due to the way the BMC handles USB descriptors it is possible to mount USB-devices that can not only exfiltrate data, but also inject keystrokes into the host operating system.The combination of these factors leaves a malicious actor in a position to exploit the host operating system in a number of ways.

Nutanix NX Affected Products

Nutanix NX hardware affected products list here:

Nutanix NX ProductVulnerability Fix Release
All NX Hardware Platforms (G3 – G7)X11 (G6 / G7) BMC Version7.05
X10 (G4 / G5) BMCVersion3.64
X9 (G3) BMC Version is TBD.

LCM will ship with the above updated BMC Firmware in version 2.2.3.1.

Note: For compatibility with the above BMC Firmware updates, Foundation 4.4.4

Recommendation : Update the Nutanix NX hardware BMC firmware though Nutanix LCM framework and foundation version as soon as possible.

IPMI Vulnerability Mitigations

Nutanix -SuperMicro IPMI / BMC Virtual media / hardware USB-Anywhere vulnerability risk can be mitigated immediately for this vulnerability while a fix is being worked on by SMC. The key vector of this vulnerability is the authentication path between software and the Virtual Media service running on tcp and udp port 623 of the BMC. During this handshake, authentication credentials are sent in the clear (unencrypted) and data passed over that port post-authentication is unencrypted.

Risk can be managed via the following methods until a patch is released:

Architecture – Baseboard Management Controllers, IPMI and other server management interfaces are not to be placed on untrusted networks, especially not internet facing networks.

Proper and accepted architecture and Nutanix IPMI Security best practice is to place these interfaces on isolated and protected areas of the network. If IPMI and BMC access is required with in your data center ensure that those devices are on a trusted network with appropriate network access controls in place.

Availability – If IPMI and BMC access is ​not​ critical within your data center, you can temporarily disable it via ​KB 8114​. Note that disabling port 623 will completely mitigate the attack vector.

however, it will affect the following Nutanix functionality:

  • Bare-Metal Foundation (Used during installation / expansion. Note: New node fromthe factory will not be impacted. However, one needs to disable tcp / udp 623 port after adding node to cluster)
  • Host Boot Drive Replacement (SATADOM for G3, G4 and G5 / M.2 for G6) ref. Nutanix Advisory SATADOM Failure Issue found
  • Stand-Alone Foundation – Expand Node
Nutanix SATADOM Replacement

Sources Supermicro Security

Information –https://www.supermicro.com/support/security_BMC_virtual_media.cfm

Nutanix KB Article – ​https://portal.nutanix.com/kb/8114

Conclusion

Nutanix NX hardware series G3 – G7 all are affected the SuperMicro IPMI / BMC Virtual Medai USB-Anywhere Vulnerability, it recommended to take precaution to avoid any un-authorized access to your Nutanix HCI infra. So upgrade the latest BMC firmware and foundation version.

Thanks to being with HyperHCI Tech Blog.