UNIVERSAL PLUG N PWN —

At least 32,000 servers broadcast admin passwords in the clear, advisory warns

Exploiting bug in Supermicro hardware is as easy as connecting to port 49152.

Dan Goodin - Jun 20, 2014 12:06 am UTC

An alarming number of servers containing motherboards manufactured by Supermicro continue to expose administrator passwords despite the release of an update that patches the critical vulnerability, an advisory published Thursday warned.

Promoted Comments

pbrutschSmack-Fu Master, in training
jump to post

Thoughtful wrote:
This vulnerability is not exposing admin passwords for the operating systems. Data may be destroyed but I cannot conceive of how anything could be exposed unless an administrator chose the same password for both the board management interface and the operating system.

You underestimate several things:

a) BMC modules are more than for monitoring... they're for remote server *control*... including the OS. Most BMC modules (DRAC on Dell, CIMC on Cisco UCS, iLO on HP, etc) provide a web interface for launching a Java app that gives you *console* access to whatever OS is installed, as well as a method for remotely booting a server from an ISO image. It's awesome for installing/reinstalling/upgrading a box.

b) Most people really do use the same username & password combo for EVERYTHING. Bad practice? Sure. Does it keep people from doing it? Nope.

c) I tested this against one of my servers. Among other things, it exposed the username and password the BMC uses for user authentication against AD. In some environments, this would be more than enough to yield VPN access.

23 posts | registered Aug 11, 2008
hdmooreSmack-Fu Master, in training
jump to post

Some things that may folks may not be aware of:

1) A compromised IPMI card can be used to root the server by rebooting to a virtual cdrom containing a rescue disk image. If you own the IPMI card, you can own the server.

2) A compromised server can be used to reflash and otherwise compromise the IPMI card using the local device interface.

What this means is that an attacker who owns an exposed IPMI card can pull any data they want off the drive of the server or rootkit it. They can even rootkit the IPMI card itself using off-the-shelf tools for firmware modification. Even reinstalling the server would not remove a rootkit like this.

Now think about this in terms of segmenting your IPMI from your production network. An attacker that gets access to one can get access to the other. For shared hosting environments, this is a nightmare that is pretty much impossible to fix without disabling the card. Any paying customer can reflash the IPMI, get backdoor access to the IPMI network, and from there root the other customer's servers.

References:
* https://community.rapid7.com/community/ ... de-to-ipmi
* https://github.com/devicenull/ipmi_firmware_tools

-HD

1 post | registered Apr 30, 2013
bamnSmack-Fu Master, in training
jump to post

My (affected) Supermicro board has a separate port for IPMI, but if you don't use it, it shares the primary Ethernet port. It still has its own IP (it doesn't just use high port numbers) but it shares the NIC.

This is bad news for several reasons, but even without this vulnerability existing, I bet there are a lot of people out there with IPMI interfaces using default passwords, unknowingly attached to their LANs by default! Unless you actively address the issue, the default is anyone owning the console, from the moment you connect to your network. I bet many people don't know the thing is even there, or assume it's disconnected until they connect it, etc.

What an utterly wretched implementation, and this security flaw is pretty much unforgivable.

84 posts | registered Feb 2, 2011
ZachWSmack-Fu Master, in training
jump to post

Hey all,

Several of the Supermicro motherboards are not easily flashable or suffer from a multitude of issues, especially with the v3.15. The most notable offender is the X9DRL-O-3F. We have about 200 SM X9DRL-O-3F systems running, and have had to RMA nearly every board that we attempted to flash with the 3.15 IPMI bios. The single processor versions of the X9 (such as the SCL) don't seem to have a problem at all, however, MP/DP versions are extremely unpredictable.

Many people I have spoken to about the original release are running the uniprocessor boards. I will admit that flashing many of the single processor boards is a breeze. To the best of my knowledge, only about 4 or 5 of X9SCLs (of which we have approx 600) have experienced flashing problems. I should have made mention in my original article that there are specific boards that do not respond well to flashing.

Also, the X9DRL boards should NEVER be flashed while in service. In fact, attempting to flash the system from the web console often times fails completely. Not to mention if the motherboard BIOS is not up to date, you must flash that to the most current version and reboot.

It is also worth mentioning that the complexity of the situation is compounded when customers are involved. There are uptime SLAs and contracts that must be upheld. Like for us, our customers never see their equipment, but we manage the infrastructure. Due to the issues that flashing an X9DRL can present, scheduling downtime becomes difficult.

We are switching away from the X9DRL-O-3F because of these issues.

Also if you google "IPMI 3.15" or "Supermicro 3.15", you will find that we are not alone. Thanks guys!

Zach W.

1 post | registered Jun 20, 2014

Promoted Comments

pbrutschSmack-Fu Master, in training
jump to post

Thoughtful wrote:
This vulnerability is not exposing admin passwords for the operating systems. Data may be destroyed but I cannot conceive of how anything could be exposed unless an administrator chose the same password for both the board management interface and the operating system.

You underestimate several things:

a) BMC modules are more than for monitoring... they're for remote server *control*... including the OS. Most BMC modules (DRAC on Dell, CIMC on Cisco UCS, iLO on HP, etc) provide a web interface for launching a Java app that gives you *console* access to whatever OS is installed, as well as a method for remotely booting a server from an ISO image. It's awesome for installing/reinstalling/upgrading a box.

b) Most people really do use the same username & password combo for EVERYTHING. Bad practice? Sure. Does it keep people from doing it? Nope.

c) I tested this against one of my servers. Among other things, it exposed the username and password the BMC uses for user authentication against AD. In some environments, this would be more than enough to yield VPN access.

23 posts | registered Aug 11, 2008
hdmooreSmack-Fu Master, in training
jump to post

Some things that may folks may not be aware of:

1) A compromised IPMI card can be used to root the server by rebooting to a virtual cdrom containing a rescue disk image. If you own the IPMI card, you can own the server.

2) A compromised server can be used to reflash and otherwise compromise the IPMI card using the local device interface.

What this means is that an attacker who owns an exposed IPMI card can pull any data they want off the drive of the server or rootkit it. They can even rootkit the IPMI card itself using off-the-shelf tools for firmware modification. Even reinstalling the server would not remove a rootkit like this.

Now think about this in terms of segmenting your IPMI from your production network. An attacker that gets access to one can get access to the other. For shared hosting environments, this is a nightmare that is pretty much impossible to fix without disabling the card. Any paying customer can reflash the IPMI, get backdoor access to the IPMI network, and from there root the other customer's servers.

References:
* https://community.rapid7.com/community/ ... de-to-ipmi
* https://github.com/devicenull/ipmi_firmware_tools

-HD

1 post | registered Apr 30, 2013
bamnSmack-Fu Master, in training
jump to post

My (affected) Supermicro board has a separate port for IPMI, but if you don't use it, it shares the primary Ethernet port. It still has its own IP (it doesn't just use high port numbers) but it shares the NIC.

This is bad news for several reasons, but even without this vulnerability existing, I bet there are a lot of people out there with IPMI interfaces using default passwords, unknowingly attached to their LANs by default! Unless you actively address the issue, the default is anyone owning the console, from the moment you connect to your network. I bet many people don't know the thing is even there, or assume it's disconnected until they connect it, etc.

What an utterly wretched implementation, and this security flaw is pretty much unforgivable.

84 posts | registered Feb 2, 2011
ZachWSmack-Fu Master, in training
jump to post

Hey all,

Several of the Supermicro motherboards are not easily flashable or suffer from a multitude of issues, especially with the v3.15. The most notable offender is the X9DRL-O-3F. We have about 200 SM X9DRL-O-3F systems running, and have had to RMA nearly every board that we attempted to flash with the 3.15 IPMI bios. The single processor versions of the X9 (such as the SCL) don't seem to have a problem at all, however, MP/DP versions are extremely unpredictable.

Many people I have spoken to about the original release are running the uniprocessor boards. I will admit that flashing many of the single processor boards is a breeze. To the best of my knowledge, only about 4 or 5 of X9SCLs (of which we have approx 600) have experienced flashing problems. I should have made mention in my original article that there are specific boards that do not respond well to flashing.

Also, the X9DRL boards should NEVER be flashed while in service. In fact, attempting to flash the system from the web console often times fails completely. Not to mention if the motherboard BIOS is not up to date, you must flash that to the most current version and reboot.

It is also worth mentioning that the complexity of the situation is compounded when customers are involved. There are uptime SLAs and contracts that must be upheld. Like for us, our customers never see their equipment, but we manage the infrastructure. Due to the issues that flashing an X9DRL can present, scheduling downtime becomes difficult.

We are switching away from the X9DRL-O-3F because of these issues.

Also if you google "IPMI 3.15" or "Supermicro 3.15", you will find that we are not alone. Thanks guys!

Zach W.

1 post | registered Jun 20, 2014

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

← Previous story Next story →

Further Reading

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica