{"id":70086,"date":"2014-07-15T21:32:38","date_gmt":"2014-07-16T01:32:38","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/index.php\/"},"modified":"2021-11-28T16:12:05","modified_gmt":"2021-11-28T21:12:05","slug":"more-server-admin-passwords-exposed","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/more-server-admin-passwords-exposed\/","title":{"rendered":"More Server Admin Passwords Exposed"},"content":{"rendered":"

\"MoreI just wrote<\/a> about the hole in IPMI<\/a><\/strong> and now researchers are reporting more problems<\/strong>.<\/em> Help Net Security<\/em><\/a> writes that over 30,000 servers<\/strong> with the Super Micro<\/a><\/strong> WPCM450 line of chips on their motherboards have baseboard management controllers (BMCs<\/a>) that offer up administrator passwords to anyone<\/strong> who knows where to look. Zachary Wikholm<\/a>, a senior security engineer with the Security Incident Response Team of hosting provider CARI.net<\/a> warns that BMC’s which collect information on the health of the hardware and software data do not protect this critical information, Mr. Wikholm wrote;<\/p>\n

\"critical<\/a>You can quite literally download the BMC password file from any UPnP<\/a>-enabled Super Micro motherboard running IPMI on a public interface<\/em><\/p>\n

The article explains this confidential information is available because Super Micro created the password file in plain text<\/strong>. The file can be downloaded by simply connecting to port 49152. The researcher added that many more critical files can be accessed by the public;<\/p>\n

All the contents of the \/nv\/ directory are accessible via browser including the server.pem file, the wsman admin password and the netconfig files<\/em><\/p>\n

Help Net Security<\/em> confirms that Super Micro no longer uses the WPCM450 chips. But a scan of the Internet using Shodan<\/a>, a specialized search engine for finding embedded systems<\/a>, indicated 31,964 affected systems were online<\/strong>. The company has also offered up a fix, to this vulnerability which requires administrators to re-flash their systems with the new IPMI BIOS<\/a>. This workaround is not available to all servers, especially in 24×7 shops.<\/p>\n

\"Patch<\/a>Mr. Wikholm has stepped in and has devised a temporary fix<\/strong> for those who don’t want to risk re-flashing the server IPMI BIOS. The fix centers around killing <\/strong>UPnP<\/a> processes<\/strong> on the BMC. The drawback of the fix is that it lasts only as long as the system isn’t disconnected or rebooted.<\/p>\n

The existence and the exploitation potential of the flaw was confirmed<\/a> by <\/strong>SANS<\/strong> ISC<\/a> handler Tony Carothers: “One of our team has tested this vulnerability, and it works like a champ, so let\u2019s add another log to the fire and spread the good word.”<\/p>\n

rb-<\/em><\/strong><\/p>\n

Fortunately Super Micro no longer sells this chipset, but there are still over 30K of these time-bombs out there waiting to explode on some poor sysadmin. Hopefully checking out the IPMI BMC is now part of a standard device hardening policy. if not, it should be.<\/em><\/p>\n

Related articles<\/h6>\n