IPMI Protocol, BMC Vulnerabilities Expose Thousands of Servers to Attack

Vulnerabilities in the IPMI protocol that describes how baseboard management controllers communicate on networks put thousands of servers at risk, particularly those at hosting providers.

Baseboard management controllers, embedded computers present in most servers, are vulnerable to a half dozen critical vulnerabilities that could enable an attacker to gain remote control over the host machine.

The vulnerabilities are in the Intelligent Platform Management Interface (IPMI) protocol specification that describes how BMCs communicate locally and across networks. The issues range from the ability to bypass authentication mechanisms, steal password hashes that can be brute-forced offline, to UPnP-based vulnerabilities that cannot be disabled and could lead to remote root compromises.

Dan Farmer, creator of the SATAN vulnerability scanner, discovered the vulnerabilities while conducting research under a DARPA Cyber Fast Track grant that was completed in January. Metasploit creator and Rapid7 CSO HD Moore then collaborated with Farmer by conducting an Internet-wide scan of the IPMI protocol to discover the breadth of the issue.

Moore found 308,000 IMPI-enabled BMCs, 195,000 of which support version 1.5 of the spec which does not provide encryption; 113,000 devices support version 2.0 which is vulnerable to exposed password hashes, authentication bypasses, or default passwords. Another 35,000 Supermicro BMCs are vulnerable to the UPnP flaw Moore described earlier this year. BMCs are either plugged directly into a motherboard, or as an add-on card plugged into a BMC connector or a PCI slot.

“Although the numbers are relatively small compared to a consumer-level exposures like UPnP, these tend to be important systems, and could be easily compromised through the BMC to steal data and attack visitors to the websites they host,” Moore told Threatpost. “BMC-enabled servers are incredibly common on internal corporate networks as well, with even less care given to things like default passwords and outdated firmware.”

Moore said about 301,000 BMCs provided location information with the United States making up 31 percent of the exposed systems. He was able to pull DNS records for 148,000 and found 40,000 hosting providers, including some of the largest hosting firms in the U.S., Moore said. He added that one U.S. provider exposes nearly 5,000 BMCs across its network. Telecoms, government and university installations were next among the most exposed.

“BMCs provide much-needed access of last resort. System administrators don’t need to use these often, but when they are necessary, such as after a disk failure on a production server in a remote location, they are critical,” Moore said. The latest IMPI spec was finalized nearly 10 years ago and managed to fly under the radar until Farmer focused on it in his research.

“Unfortunately, the IPMI protocol has become an essential part of what hosting providers provide,” Moore said. “Hosting providers expose more IPMI-enabled systems to the Internet than any other vertical.”

A number of factors can contribute to a relatively simple compromise of a BMC, including outdated firmware, simple or default passwords, and previously granted access.

“An attacker that breaches a web application and escalates access to root using a kernel exploit could then backdoor the BMC and re-enter the server through the IPMI interface, even if the server had been reinstalled,” Moore said. “This is a huge issue for hosting providers where the same server is recycled between customers. A rooted BMC would be a very difficult thing to secure, as the attacker could disable the reset and update mechanisms or downgrade the firmware to an exploitable version.”

Two of the six vulnerabilities really stand out. The first is an IMPI 2.0 authentication bypass vulnerability via the Cipher 0 encryption method. The cipher bypasses authentication and allows IPMI commands from any source, Moore said. Manufacturers enable this be default, and it can be exploited using a number of command line tools including a particular Metasploit module that spots Cipher 0 in use.

“The Cipher 0 issue is really bad because it seems to affect at least half of the exposed IPMI 2.0 systems we tested,” Moore said. “This essentially provides unauthenticated administrative access to the BMC. Fortunately, most vendors have provided firmware updates that address the issue.”

The worst vulnerability is an IMPI 2.0 RAKP authentication remote password hash retrieval bug. The authentication process here mandates that the server send a salted SHA1 or MD5 hash of the password to the client before authenticating it. An attacker can steal this hash, and brute-force attack it offline.

“There is no way to fix this short of breaking the specification and offline password cracking is becoming incredibly efficient in the age of Xeon Phi and GPU programming,” Moore said. “Given that passwords are often shared between devices and services, breaking the password on one BMC will often provide access to a whole lot more.”

By going offline, the attacker can leverage any hardware at their disposal for a brute force attack, Moore said.

“For example, it is possible to test the entire 6-character password space in about 12 hours with two beefy servers. Scaling this out to cloud services or larger data centers could provide trillions of hashes per second of performance, making it easy to crack even relatively hard passwords,” Moore said. “In our testing, we identified that 10 percent of Internet-facing BMCs used one of 1,000 common passwords for an administrative account.  We expect this number to be worse on internal networks.”

Compounding the issue is the fact that of the major vendors, only HP uses a random factory-generated default password. The others—Dell, Oracle-Sun, Fujitsu and IBM—ship with weak default passwords or with null authentication.

“About 5 percent of Internet-facing BMCs had a default password set,” Moore said. “In an unscientific internal test, 80 percent of devices identified still had a default password configured (of 35 systems on a typical corporate network).”

In addition to the UPnP vulnerability in Supermicro BMCs, there is another where the controller requires access to a cleartext password in order to calculate a hash, meaning the BMC stores the cleartext version of all passwords. While password storage is scattered, it always follows a user name and can be easily found.

“All in all, those most at risk are US-based hosting providers and their customers, but it also appears that quite a few systems have IPMI enabled unintentionally, and nearly all of these systems are at risk to at least one of the vulnerabilities identified by Dan Farmer,” Moore said.

Suggested articles

Juniper Backdoor Picture Getting Clearer

Crypto and security experts digging into the Juniper backdoor have determined that attackers have subverted an alleged NSA backdoor in the Dual_EC_DRBG algorithm used in NetScreen firewalls.