If enterprises are indeed moving services off premises and into the cloud, there are four letters those companies’ IT organizations should be aware of: IPMI.
Short for Intelligent Platform Management Interface, these tiny computers live as an embedded Linux system attached to the motherboards of big servers from vendors such as IBM, Dell and HP. IPMI is used by a Baseboard Management Controller (BMC) to manage Out-of-Band communication, essentially giving admins remote control over servers and devices, including memory, networking capabilities and storage. This is particularly useful for hosting providers and cloud services providers who must manage gear and data in varied locations.
Noted researchers Dan Farmer, creator of the SATAN vulnerability scanner, and HD Moore, creator of Metasploit, have been collaborating on research into the vulnerabilities present in IPMI and BMCs and the picture keeps getting uglier. Last July, Farmer and Moore published some research on the issue based upon work Farmer was doing under a DARPA Cyber Fast Track Grant that uncovered a host of vulnerabilities, and Internet-wide scans for the IPMI protocol conducted by Moore.
Yesterday, Farmer released a paper called “Sold Down the River,” in which he chastises big hardware vendors for ignoring security vulnerabilities and poor configurations that are trivial to find and exploit.
“Many of these problems would have been easy to fix if the IPMI protocol had undergone a serious security review or if the developers of modern BMCs had spent a little more effort in hardening their products and giving their customers the tools to secure their servers,” Farmer wrote. “At this point, it is far too late to effect meaningful change.”
Farmer said the number of servers with vulnerable BMCs have given IPMI insecurity a long shelf life.
IPMI runs regardless of the underlying operating system and operates on UDP port 623 through a server’s network port or its own Ethernet port. It runs continuously, Farmer said, unless the plug is literally pulled. Moore’s scan pulled up 230,000 responses over port 623, an admittedly tiny slice of the overall number of implementations. Yet Farmer concludes that 90 percent of BMCs running IPMI could be compromised because of default or weak passwords or weaknesses in the protocol, not only implicating the host server but others in the same management group because, as he discovered, some vendors share common passwords.
“When a run-of-the-mill server is compromised it exposes its own BMC to attack from its host, which could risk the sanctity of entire management network,” Farmer wrote. “And if the BMCs that I wasn’t able to measure are anything like the ones I was, that’s real trouble.”
There are two popular versions of IPMI, 1.5 and 2.0, and there is almost a 50-50 split in deployments. BMCs running version 1.5 are, however, seriously plagued by a vulnerability in that nearly all server management ports have NULL authentication set, allowing log-ins without authentication. Nearly all BMCs, Farmer said, also have NULL enabled, which, when combined with the server management issue, gives hackers an open door to any older IPMI system.
“The privileges associated with the NULL account vary from vendor to vendor, but it seems to usually grant administrator access,” Farmer wrote. “No matter what, however, remote execution of commands on your server is bad.”
Farmer said 90.1 percent of IPMI 1.5 systems had NULL authentication enabled. Compounding the issue is that 1.5 also lacks cryptographic protection between the user and BMC, leaving it vulnerable to attacks against network traffic such as password sniffing and man-in-the-middle attacks.
Version 2.0, meanwhile, includes some crypto protections and some vendors recognized NULL authentication as a vulnerability and fixed it in about half of the implementations. The crypto used, however, introduces new security issues, Farmer said. The Cipher Zero protocol allows an outsider to log in without authentication, only a valid user name; any password will be ignored, Farmer said. Most server vendors enable it by default on their BMC; HP recently gave users the option of turning it off for the first time, Farmer said.
The worst vulnerability is the RAKP authentication remote password hash retrieval bug. The authentication process here mandates that the server send a salted SHA1 or MD5 hash of the password to the client before authenticating it. An attacker can steal this hash, and brute-force attack it offline.
“Unfortunately this means that even if you’re on the ball and up-to-date with your patching, have all known security problems fixed, and everything is working as planned, if an attacker can guess a valid account name they may get its password hash and crack your password without you knowing it,” Farmer wrote.
Farmer said he used Metasploit to scan IPMI 2.0 BMCs to gather password hashes from 83 percent of those systems, and using the popular John The Ripper password cracker, he was able to get 30 percent of those passwords. And most of those passwords were easily guessable passwords such as “admin.”
Further testing, Farmer said, revealed that 11,500 BMCs shared a common password, which could have been an undocumented default password; and another 1,300 BMCs, most in Europe on primarily on six networks, had a shared password, likely indicating a service provider using a common password to manage dispersed systems, Farmer said.
Farmer’s paper also lists a number of strategic and technical defenses enterprises can use, including contractual clauses for service providers forbidding the use of shared or similar passwords, and the disabling of default vendor user names used as account names which can be abused where Cipher Zero is present.