Update: Another IPMI Mishap? Researcher Claims Supermicro Devices Vulnerable

There’s more bad news for companies that rely on the Intelligent Platform Management Interface (IPMI) to manage servers and other hardware in their IT environments.

A researcher claims that a flaw in a common type of Base Management Controller (BMC) made by Super Micro leaves BMC password files exposed  on the Internet.
A researcher claims that a flaw in a common type of Base Management Controller (BMC) made by Super Micro leaves BMC password files exposed on the Internet.

Specifically: researcher Zachary Wikholm over at Cari.net has published evidence of what he says is a head-slapping vulnerability affecting devices that use IPMI Base Management Controllers (BMCs) made by the firm SuperMicro.

According to Wikholm, servers equipped with Supermicro BMCs store a password file, PSBlock, in plain text and – making matters worse- leave it open to the world on port 49152.

“You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface,” he wrote.

Baseboard Management Controllers (BMCs) are small, embedded systems attached to a system’s motherboard that manage IPMI communications.

Wikholm says that Supermicro has fixed the problem in the latest version of its IPMI firmware. However, companies are often reluctant to flash (or replace) the firmware that manages BMCs.

The facts on the ground appear to support that conclusion. A scan of the Internet for public-facing devices that are listening on that port and appear to be running vulnerable Supermicro software revealed close to 32,000 systems. “This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market,” he wrote.

The latest revelation is similar to the kinds of problems we’ve written about in IPMI. Security researcher Dan Farmer has called attention to a range of problems, charging vendors like Dell, HP and IBM with creating and distributing their own version of the IPMI protocol that enable “the most insecure features of IPMI” by default, while adding their own features to it – many of them poorly documented or understood.

“Most vendors put semi-secret backdoors in their implementations so that their field and support specialists may gain access and control that you cannot,” Farmer has written.

Farmer has conducted similar scans: looking for systems using the Intelligent Platform Management Interface (IPMI) protocol. He recently identified over 230,000 Baseboard Management Controllers (BMCs) exposed to compromise via the public Internet. As many as 90% of the exposed systems could be compromised by exploiting what Farmer characterized as “basic configuration and protocol weaknesses.”

In an interview with The Security Ledger, Farmer said that vulnerabilities in IPMI or improperly configured devices could be abused by sophisticated hackers.

“I honestly think that you’d be crazy not to abuse this stuff if you were interested in any sort of espionage, attack, warfare, or whatever,” Farmer wrote.

Farmer said he had reviewed Wikholm’s work and that the scan results were similar to the findings of scans he ran in 2013. Organizations that might have deployed systems using vulnerable BMCs can’t count on obscurity any more, he said in an e-mail interview on Friday.

“We’re rapidly coming to a point where essentially every port on every IP is getting scanned on a daily basis or faster,” Farmer wrote. “It’d be nice to think that in general these sorts of announcements were handled with delicacy and empathy for those that it affects, but to me it seems that we’ll have essentially a wikiscan of all the open and vulnerable things for everyone to see, updated on a fairly real-time basis.”

Wikholm, like Farmer, is calling for more scrutiny of the security of embedded systems and the software that runs them.

Read his full post here: CARISIRT: Yet Another BMC Vulnerability (And some added extras) | CARI.net Blog.