Slashdot Mirror

← Back to Stories (view on slashdot.org)

Supermicro Fails At IPMI, Leaks Admin Passwords

Posted by Soulskill on from the bet-they-fix-it-now dept.

drinkypoo writes: Zachary Wikholm of Security Incident Response Team (CARISIRT) has publicly announced a serious failure in IPMI BMC (management controller) security on at least 31,964 public-facing systems with motherboards made by SuperMicro: "Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152." These BMCs are running Linux 2.6.17 on a Nuvoton WPCM450 chip. An exploit will be rolled into metasploit shortly. There is already a patch available for the affected hardware.

3 of 102 comments (clear)

  1. What moron puts IPMI public facing? by silas_moeckel · · Score: 3, Insightful

    What use case? This sort of things should always be behind a firewall. Is it to hard to VPN in? Hell our supermicro IPMI's work rather well though a proxy on the firewall (dell and HP for that matter).

    --
    No sir I dont like it.
    1. Re:What moron puts IPMI public facing? by barc0001 · · Score: 3, Insightful

      Exactly. Supermicro definitely screwed the pooch on this one, but so is anyone deploying these systems without a firewall in front of them. It's just common sense.

    2. Re:What moron puts IPMI public facing? by Minwee · · Score: 3, Insightful

      In increasing order of moron, here are a few ways that this can happen:

      1) The IPMI may share the same port as the primary network interface.

      2) You may have requested an expensive switching architecture with proper VLAN segregation, but your manager only approved you to take the old D-Link box from under his desk, forcing everything to be on the same segment.

      3) The people who run the datacentre may have thoughtfully connected every Ethernet port they could find to your switch, even the one with that funny wrench symbol on it, without telling you. In many cases it's possible for a server to be purchased, received, installed, configured and put into production without any of its owners ever seeing it in person. Throw in a heavy dose of "It's somebody else's problem" all around and anything can happen.

      4) In some organizations (and I'm not going to name any), IT policy like "All management ports must be reachable from our head office and the IT support desk in Hyderabad" is set by people who think that "security" means remembering to lock their Lexus.