I just wrote about the hole in IPMI and now researchers are reporting more problems. Help Net Security writes that over 30,000 servers with the Super Micro WPCM450 line of chips on their motherboards have baseboard management controllers (BMCs) that offer up administrator passwords to anyone who knows where to look. Zachary Wikholm, a senior security engineer with the Security Incident Response Team of hosting provider CARI.net warns that BMC’s which collect information on the health of the hardware and software data do not protect this critical information, Mr. Wikholm wrote;
You can quite literally download the BMC password file from any UPnP-enabled Super Micro motherboard running IPMI on a public interface
The article explains this confidential information is available because Super Micro created the password file in plain text. The file can be downloaded by simply connecting to port 49152. The researcher added that many more critical files can be accessed by the public;
All the contents of the /nv/ directory are accessible via browser including the server.pem file, the wsman admin password and the netconfig files
Help Net Security confirms that Super Micro no longer uses the WPCM450 chips. But a scan of the Internet using Shodan, a specialized search engine for finding embedded systems, indicated 31,964 affected systems were online. The company has also offered up a fix, to this vulnerability which requires administrators to re-flash their systems with the new IPMI BIOS. This workaround is not available to all servers, especially in 24×7 shops.
Mr. Wikholm has stepped in and has devised a temporary fix for those who don’t want to risk re-flashing the server IPMI BIOS. The fix centers around killing UPnP processes on the BMC. The drawback of the fix is that it lasts only as long as the system isn’t disconnected or rebooted.
The existence and the exploitation potential of the flaw was confirmed by SANS ISC handler Tony Carothers: “One of our team has tested this vulnerability, and it works like a champ, so let’s add another log to the fire and spread the good word.”
rb-
Fortunately Super Micro no longer sells this chipset, but there are still over 30K of these time-bombs out there waiting to explode on some poor sysadmin. Hopefully checking out the IPMI BMC is now part of a standard device hardening policy. if not, it should be.
Related articles
- A Penetration Tester’s Guide to IPMI and BMCs (community.rapid7.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.