Slashdot Mirror

← Back to Stories (view on slashdot.org)

Supermicro Fails At IPMI, Leaks Admin Passwords

Posted by Soulskill on from the bet-they-fix-it-now dept.

drinkypoo writes: Zachary Wikholm of Security Incident Response Team (CARISIRT) has publicly announced a serious failure in IPMI BMC (management controller) security on at least 31,964 public-facing systems with motherboards made by SuperMicro: "Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152." These BMCs are running Linux 2.6.17 on a Nuvoton WPCM450 chip. An exploit will be rolled into metasploit shortly. There is already a patch available for the affected hardware.

25 of 102 comments (clear)

  1. Anyone who trusted SuperMicro... by Anonymous Coward · · Score: 2, Insightful

    Anyone who trusted SuperMicro for anything business critical gets what they deserved. I had the misfortune of working with their engineering department back in 2006/2007. They were absolutely clueless. Slapping random components together hoping to build good server motherboards, wondering why things would perform oddly or be unstable. They admittedly got it right more often than not, but thats not exactly what you want for servers. Stuff like this is proof they aren't serious business.

    1. Re:Anyone who trusted SuperMicro... by stox · · Score: 5, Informative

      I manage 10,000 of them. To date lower infant mortality and lower long term failures than I had seen previously with Dell and HP. They also ship a lot faster than Dell or HP. Anyone who exposes their IPMI interfaces to the public internet deserves the results.

      --
      "To those who are overly cautious, everything is impossible. "
    2. Re:Anyone who trusted SuperMicro... by myowntrueself · · Score: 2

      I have literally never had a complaint with an intel motherboard except when it had onboard ATI graphics — Mach64CT, what a POS, you couldn't even trust it to provide a framebuffer without getting the colors wrong.

      server mainboards, who cares about the colors? That includes windows.

      But how will you know your Windows server has crashed unless you can see the blue screen?? If its purple or green how will you even know?!?!?

      --
      In the free world the media isn't government run; the government is media run.
  2. Opportunity for some grey hackery by Anonymous Coward · · Score: 2, Interesting

    Some intrepid hacker should write a script to take control and apply the patch the vulnerable software.

    1. Re:Opportunity for some grey hackery by operagost · · Score: 4, Interesting

      This happened over 10 years ago. In response to the Blaster worm, someone wrote the Welchia worm to find, clean, and patch unpatched machines. Because it downloaded the patch to each machine it infected, its deleterious effects on networks may have been worse than Blaster.

      I had the pleasure of being contracted to help remove both worms for a local hospital, sneakernetting the removal tool.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
  3. What moron puts IPMI public facing? by silas_moeckel · · Score: 3, Insightful

    What use case? This sort of things should always be behind a firewall. Is it to hard to VPN in? Hell our supermicro IPMI's work rather well though a proxy on the firewall (dell and HP for that matter).

    --
    No sir I dont like it.
    1. Re:What moron puts IPMI public facing? by barc0001 · · Score: 3, Insightful

      Exactly. Supermicro definitely screwed the pooch on this one, but so is anyone deploying these systems without a firewall in front of them. It's just common sense.

    2. Re:What moron puts IPMI public facing? by Anonymous Coward · · Score: 4, Informative

      Many hosting companies that offer a complimentary IPMI or other KVM-over-IP will give the OOB box an IP address on the public Internet. They do this because it is cheaper than creating a private subnet on a dedicated firewall for each customer and letting them VPN in (like SoftLayer does). I doubt many of these exposed systems are from large corporations that run their own infrastructure, or even cloud providers. They are most likely from the retail hosting business. OVH, Hetzner, etc.

    3. Re:What moron puts IPMI public facing? by XanC · · Score: 2

      I was asking about this on the OVH forums just the other day, in fact:

      Our IPMI are actually configured on a private network separated from Dedicated Servers network using a private VLAN for all the IPMI traffic fully secured via our network equipement.

      There is two way you can access the IPMI connection:

      1- Over a Java applet which generate and send you a .jnlp file valid for this session only. (This method let you use keyboard and mouse)

      2- Over a webrowser via Serial over LAN that use a temporarly generated user valid for this session only.

      https://forum.ovh.us/showthrea...

    4. Re:What moron puts IPMI public facing? by Minwee · · Score: 3, Insightful

      In increasing order of moron, here are a few ways that this can happen:

      1) The IPMI may share the same port as the primary network interface.

      2) You may have requested an expensive switching architecture with proper VLAN segregation, but your manager only approved you to take the old D-Link box from under his desk, forcing everything to be on the same segment.

      3) The people who run the datacentre may have thoughtfully connected every Ethernet port they could find to your switch, even the one with that funny wrench symbol on it, without telling you. In many cases it's possible for a server to be purchased, received, installed, configured and put into production without any of its owners ever seeing it in person. Throw in a heavy dose of "It's somebody else's problem" all around and anything can happen.

      4) In some organizations (and I'm not going to name any), IT policy like "All management ports must be reachable from our head office and the IT support desk in Hyderabad" is set by people who think that "security" means remembering to lock their Lexus.

    5. Re:What moron puts IPMI public facing? by tburkhol · · Score: 2

      IPMI is awesome for managing servers. All the supermicro mobo's I've ever used had a dedicated ethernet port to make sure the IPMI was on a separate, dedidcated, not-internet connected network. The real problem is that they will (or at least would) fallback to the normal ethernet port for IPMI if the dedicated port was not connected.

      So the risk here is anyone who bought nice Supermicro hardware, didn't bother to learn about the IPMI, and only connected the normal ethernet port. It's not going to be a problem for people running 5,000 servers in a datacenter. It's going to be a problem for SOHO guys whose web server has a BMC they don't know about communicating on the same port.

  4. All vendors fail with IPMI v2.0 by Anonymous Coward · · Score: 4, Interesting

    IPMI v2.0 has a design flaw that any anonymous remote attacker can request and get the salt and password hash for the admin user!

    It is a design flaw that cannot be patched.

    Better use all of the 20 character allowed maximum password length and rotate the password often!

  5. Re:Wha? by Anonymous Coward · · Score: 3, Funny

    "like a child" ==> Some computers that run websites on the Internet have an "Employees Only" entrance on the side of the building, with a lock controlled by a PIN code (for example, "1234").

    SuperMicro built these PIN code locks with the correct code clearly printed on the side of the PIN entry panel.

  6. Ugh... by jasno · · Score: 2, Informative

    Working on a product based around these now...

    As far as I can tell, the Nuvoton WPCM450 is what contains the Matrox G200ew clone for graphics output. Thanks to XAA being discontinued in X.org, the MGA driver is practically unusable for X at this point(even with an ancient, 2d window manager).

    Yet another reason to avoid this hardware.

    --

    http://www.masturbateforpeace.com/
  7. Re:Wha? by barc0001 · · Score: 5, Informative

    IPMI is a management interface that allows you to do some neat remote administration tasks on these servers up to and including remote console so you can even install an OS on them over the network. They are a separate network interface with this running. I have several of these boxes deployed in my datacenters and firstly, the IPMI interface is configured with a non-public IP address, and secondly, the box is behind a firewall blocking all traffic that is not explicitly allowed, so while this is some sloppy-ass stuff on Supermicro's part, I am personally not that concerned. I am sure that there are many who are not nearly as cautious as I am though who might need to be concerned. Although if they are also that careless, chances are they might not have bothered to set up the IPMI interface as well or even plugged it in.

  8. By default, SuperMicro IPMI attaches to normal eth by Anonymous Coward · · Score: 5, Informative

    By default, SuperMicro IPMI attaches to normal ethernet. So if you hook up a server to a public connection, you've exposed your IPMI. We caught this in a security audit, we added a dhcp honey pot to our static network to see if we could get any devices to announce themselves. We about shat our pants! There's probably a ton of people at risk not knowing this motherboard is insecure by default!

  9. Re:Wha? by TechyImmigrant · · Score: 2

    >That's pretty terrifying stuff!

    It's pretty handy if you have 100 racks of 30 machines each and no monitor or keyboard on any of them.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  10. Re:Wha? by rahvin112 · · Score: 4, Informative

    In simple language.

    It's a VNC connection to the graphics output (and some switches) independent of the main hardware. You can essentially VNC in and reboot the server, adjust bios options, mount a CD from your workstation to the server and install an OS. All while never having to touch the actual server.

    It's very handy and a total security nightmare if it's not secured properly which should be obvious from the fact that you can power cycle and have full bios access. As others have said, it should be totally obvious to anyone with any computer literacy that IPMI could be very dangerous.

  11. Re:By default, SuperMicro IPMI attaches to normal by rahvin112 · · Score: 2

    The IPMI on my supermicro motherboard only works through one of network ports. In fact it has it's own dedicated port that is only for IPMII (the regular OS doesn't even see it). Though I have seen older motherboards that work like yours I think supermicro has moved in more recent products to dedicated IPMI ports, maybe because of this very reason. You should be configuring the IPMI even if you don't plan to use it, set it an IP and then blackhole that IP on your network. If you don't configure it you don't know what it's doing.

  12. Re:By default, SuperMicro IPMI attaches to normal by drinkypoo · · Score: 5, Informative

    By default, SuperMicro IPMI attaches to normal ethernet.

    Yes, I saw a mention of that on G+ today, but I lost it. So I went to the source, I will save y'all the trouble of dicking with the PDF and jump straight to page 2-26 and excerpt the really interesting part:

    The default setting is Failover, which will allow IPMI to be connected from either the shared LAN port (LAN 1/0) or the dedicated IPMI LAN port. Precedence is given to the Dedicated LAN port over the shared LAN port.

    YE GODS. At least it's in the manual, which no one reads. You can select a port once you've got the system up and running, and once you do that it will stick, but until then it operates unsafely, as above. And if by chance there's no link on the management port during boot, perhaps because the management switch is also being cycled, then IPMI will appear on another interface.

    There's no excuse for not firewalling that off, but it's still also unacceptable behavior.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  13. Re:Wha? by Minwee · · Score: 2

    SuperMicro built these PIN code locks with the correct code clearly printed on the side of the PIN entry panel.

    What's even more frightening is what some of those codes were set to by the security conscious (or is that unconscious) people in charge of them:

    [...] at the point of this writing, there are 31,964 systems that have their passwords available on the open market. It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3296 are the default combination. Since I’m not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was “password”.

    President Skroob's luggage looks like Fort Knox compared to these things.

  14. Re:Wha? by Minwee · · Score: 5, Funny

    >That's pretty terrifying stuff!

    It's pretty handy if you have 100 racks of 30 machines each and no monitor or keyboard on any of them.

    And with SuperMicro BMCs, it's even more handy when you don't own any of them.

  15. hoping my VPN doesn't also have a flaw by raymorris · · Score: 2

    > the IPMI interface is configured with a non-public IP address ... so while this is some sloppy-ass stuff on Supermicro's part, I am personally not that concerned.

    In my case, those non-public IPs are part of a management network that is only accessible via a VPN. So we're safe UNLESS the VPN endpoint happens to have a flaw, or someone mistakenly plugs one of the management interfaces into the internet, not realizing that the "security" on the interface doesn't actually work.

  16. Re:Wha? by sexconker · · Score: 4, Informative

    A BMC is a baseboard management controller - it's essentially an always-on processor / chipset that can do basic shit like turn the machine on and off, let you get into BIOS over serial (and thus serial over LAN if your motherboard supports it), etc.
    As long as the box has power and the BMC has a connection (typically sharing one of the NICs), you can boot your machine and do shit with IPMI commands remotely, reconfigure the BIOS, whatever.

    OEMs build on this by slapping on another layer of shit that lets you do graphical redirection (instead of text), connect over the web, pipe in files and have them emulated as a bootable floppy, disc, or USB image, etc. This lets you do remote BIOS/UEFI/firmware updates for example, a remote OS installation, etc.
    DELL calls this shit DRAC or iDRAC, HP has iLO, etc.

    Nearly all servers come with a some sort of BMC that supports IPMI. You do not have to pay for the advanced shit that you'll really only ever use once.

    When issuing IPMI commands you can require a username and password. You can also enable encryption so that these are not sent in plaintext.
    It sounds like TFS is saying that Supermicro had a file containing a list of IPMI passwords in a publicly-accessible space.
    Note that if this file just had passwords and not the corresponding encryption keys (RCMP+), they would still be useful. Most implementations make RMCP+ encryption optional - it's on the client to specify the key and keytype used, and its only real purpose is to prevent a MITM from sniffing the username and password.

  17. Re:Wha? by mcrbids · · Score: 2

    Makes perfect sense why the passwords would suck. These are the same doofus types that put IPMI on the public Internet.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.