Supermicro Fails At IPMI, Leaks Admin Passwords
drinkypoo writes: Zachary Wikholm of Security Incident Response Team (CARISIRT) has publicly announced a serious failure in IPMI BMC (management controller) security on at least 31,964 public-facing systems with motherboards made by SuperMicro: "Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152." These BMCs are running Linux 2.6.17 on a Nuvoton WPCM450 chip. An exploit will be rolled into metasploit shortly. There is already a patch available for the affected hardware.
>That's pretty terrifying stuff!
It's pretty handy if you have 100 racks of 30 machines each and no monitor or keyboard on any of them.
And with SuperMicro BMCs, it's even more handy when you don't own any of them.