Much has been written about the insecurity of the IPMI protocol present inside embedded baseboard management controllers (BMCs). Serious vulnerabilities can be exploited to gain remote control over big servers running BMCs, in particular in hosting environments where the controllers help admins with remote management of crucial industrial functions, for example. And despite alerts and warnings from prominent figures in computer security such as Dan Farmer and HD Moore, and patches from vendors, the news keeps getting worse.
The security incident response team for San Diego-based cloud-based hosting provider CARI.net yesterday disclosed that a file storing passwords in plain text is open over port 49152. Close to 32,000 vulnerable systems responded to a GET/PSBlock query on the Shodan search engine over port 49152; more than 9.8 million hosts responded in total.
“You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface,” said Zachary Wikholm, senior security engineer with CARI.net.
The PSBlock password file is found in a XML file stored inside a particular directory, Wikholm said, adding that he notified Supermicro of the issue in November to no avail. Wikholm said anything stored in the directory, including server.pem files, wsman admin passwords and netconfig files, are available.
“When I attempted to reach out to Supermicro, the standard response received was that the UPnP issue had already been patched with the newest IPMI BIOS version. However, flashing a system is not always a possibility,” Wikholm said.
The problems with IPMI and BMCs gained momentum almost a year ago when Farmer discovered a half-dozen critical vulnerabilities, including authentication bypass issues and UPnP vulnerabilities that could lead to root compromises. Rapid7 CSO and Metasploit creator HD Moore collaborated with Farmer to conduct an Internet scan for IPMI, learning that hundreds of thousands of servers and devices were exposed, some lacking encryption, others with the aforementioned authentication weaknesses.
BMCs are plugged into a motherboard or are an add-on card plugged into a BMC connector or PCI slot. In November, seven zero day vulnerabilities in Supermicro IPMI firmware were reported by Moore and were patched by the vendor.
Recently, Farmer took up the cause again with the release of a research report in which he takes big server vendors to task for ignoring the severity of these vulnerabilities.
“Many of these problems would have been easy to fix if the IPMI protocol had undergone a serious security review or if the developers of modern BMCs had spent a little more effort in hardening their products and giving their customers the tools to secure their servers,” Farmer wrote in his paper “Sold Down the River.” “At this point, it is far too late to effect meaningful change.”
Of the 9.8 million devices that responded, not all of them are Supermicro devices. Most are embedded Linux devices such as home routers and IP cameras, and many are running the embedded UPnP software, Wikholm said. Moore had gone into great detail about vulnerabilities in UPnP, which expose embedded devices to another world of issues. Wikholm said that a temporary fix is possible by taking advantage of the fact that most of the systems affected by this issue expose their shell from the SMASH command line.
“If you login to the SMASH via ssh and run the command ‘shell sh,’ you can drop into a functional SH shell. From there you can actually kill all ‘upnp’ processes and their related children, which provides a functional fix,” he said. “That is of course until the system is completely disconnected from power and reconnected, during which the IPMI module will reboot.”
Making matters even more frustrating is the overall weakness of the password combinations exposed for the 32,000 devices, 3,296 of which are default user name-password combinations including the use of the word “password” as a credential.