Despite patches, Supermicro's IPMI firmware is far from secure, researchers say

The IPMI in Supermicro motherboards has vulnerabilities that can give attackers unuathorized access to servers, Rapid7 researchers said

By Lucian Constantin, IDG News Service |  Hardware

The Intelligent Platform Management Interface (IPMI) implementation found in motherboards from server manufacturer Supermicro suffers from serious vulnerabilities that could allow attackers to remotely compromise the management controllers in servers that use them.

The IPMI specification was developed by Intel and allows system administrators to manage and monitor computer systems remotely in the absence of physical access to them. IPMI supports multiple communication protocols and operates independently of the operating system running on the computer. Its central part is a microcontroller called the Baseboard Management Controller (BMC) that is usually embedded into the motherboard and is directly connected to its southbridge and a variety of sensors.

BMCs are essentially computers that run inside other computers, most commonly servers. They are usually based on ARM chips and run Linux-based firmware that implements the IPMI functions including monitoring, rebooting and reinstalling the host server's OS.

IPMI implementations vary from vendor to vendor, but most expose a Web-based management interface, a command-line interface via Telnet or Secure Shell, and the IPMI network protocol on port 623 UDP or TCP.

If an attacker gains administrative access to the BMC, they can reboot the host server's operating system into a root shell and introduce a backdoor or copy data from the hard drive. Gaining access to the host operating system while it's running without rebooting it might also be possible, according to a July analysis of IPMI security risks by security researchers from Rapid7.

On Aug. 22, Rapid7 researchers found several security issues in the IPMI firmware version SMT_X9_226 from Supermicro and reported them to the vendor.

Those issues included the use of hard-coded encryption keys for SSL and SSH connections that could allow an attacker to perform a man-in-the-middle attack and decrypt communication to the firmware; the use of hard-coded credentials with static passwords, including one that cannot be changed by the user; buffer overflow vulnerabilities in the login.cgi, lose_window.cgi and logout.cgi applications that can result in remote code execution as the root user account; and a directory traversal flaw in the url_redirect.cgi application that allows attackers with access to a nonprivileged account to read any file of the system, including the one that contains plain-text credentials for all users.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Ask a Question