05:51 PM
Connect Directly

New Gaping Security Holes Found Exposing Servers

Researcher HD Moore so far has discovered around 300,000 servers online at serious risk of hacker takeover

A widely deployed protocol and controller used in servers and workstations both contain serious vulnerabilities that, in effect, give attackers near-physical access to the machines, a pair of renowned researchers said today.

HD Moore, chief research officer at Rapid7 and creator of Metasploit, and security researcher Dan Farmer announced findings of their research on major flaws in the Intelligent Platform Management Interface (IPMI) protocol and the Baseboard Management Controllers (BMC) packaged with most servers for remote management purposes.

As part of his ongoing Internet scanning research, Moore found more than 100,000 servers and workstations online that are vulnerable to one or more of six flaws in IPMI and BMC -- some of which were bugs Farmer revealed earlier this year -- which Moore says is just the tip of the iceberg of potential servers in danger on the Net. The bugs could allow an attacker to compromise BMCs in the affected servers and siphon data from attached storage devices, make changes to the operating system, install a permanent backdoor, sniff credentials sent through the server, launch a denial-of-service attack, or wipe the hard drives.

[Unplug Universal Plug And Play (UPnP) to protect routers, storage devices, media players from getting hacked over the Internet, Rapid7 says. See Millions Of Networked Devices In Harm's Way.]

Moore says these findings are big and more serious than other equipment he has found exposed on the Internet. "It's one thing to be hacking some crappy home router, but it's another thing" to see servers wide open to attack, he says.

And there isn't really a fix for the IPMI protocol problems. "By definition, the technology is pretty much broken. There's no such thing as an IPMI secure device," Moore says.

The vulnerabilities follow a common theme in other weaknesses Moore has discovered in Internet-facing equipment: default backdoor-type access by the vendors for internal ease of access and use, including default passwords, and customers either unaware or not understanding the looming dangers of the holes sitting exposed on the Internet.

"This definitely qualifies for the moniker 'gaping security hole,'" says Chris Wysopal, CTO at Veracode. "These management interfaces give, as Dan [Farmer] says, 'equivalent to physical access' and use a separate authentication scheme than IT admins typically use with centralized authentication, such as Windows Active Directory. Many admins don't know this management interface exists."

Those server ports should not be open to the outside, either, Wysopal says, so it appears to be a very prevalent mistake by server admins. "The big deal I see is that once an attacker is through the perimeter, they can have a field day internally with these vulnerabilities."

BMCs are found on most servers today, and are OEMed and sold by Dell, HP, IBM, and Supermicro, for instance; they are either integrated on the motherboard of the server or as an add-on that plugs into a connector or PCI slot. They are basically computers in their own right that offer remote management of servers, and provide things like virtual keyboards, video, mouse, power, and removable media control for the machines. And even when the server is powered down, the BMC is still powered on.

IPMI, the server management protocol that runs on the BMC, is supported by some 200 vendors and was found by Farmer to have various authentication and access flaws.

The researchers say attackers could hack into a server via a compromised BMC by rebooting the server from a virtual CD-ROM and using a rescue disk. "The former resets the local Windows Administrator account password and the latter does an in-memory patch that disables console authentication in both Linux and Windows. The BMC can then force the server to boot normally and provide console access to the attacker through built-in KVM functionality," they wrote in an FAQ on the vulnerabilities.

"The BMC provides the equivalent of physical access to the server with many of the security exposures that this implies, such as booting to single-user mode, accessing the BIOS settings, and being able to watch the physical display. If the hard drives of the server are not encrypted, an attacker could boot the server into a rescue environment, and manipulate or copy the file system without any assistance from the server's operating system," they wrote.

Farmer's initial work on the bugs initially didn't capture much public attention. "It kind of sat there for five months, and the security community ignored it," he says. "It wasn't until we got some Internet exposure to how bad it really was" that it got the attention it deserved, according to Moore.

There are a total six flaws with BMC security that the researchers found, most of which are rooted in the IPMI protocol:

• IPMI version 2.0's "cipher 0" encryption method that bypasses authentication altogether for IPMI commands. This feature is often on by default in BMCs;

• IPMI version 2.0 sends requesting clients a cryptographic hash of the user's password before authentication, which could allow an attacker to brute-force the hash to grab the password if it's not a strong one;

• IPMI version 2.0 supports logins by anonymous users -- with a username and password set to "null." This user account often comes with administrative privileges, and some BMC vendors ship this feature activated by default;

• All versions of IPMI are able to provide authentication methods remotely to a requester via the "get channel authentication" request;

• Some BMCs enable the Universal Plug and Play (UPnP) protocol by default and have no option for disabling it. Supermicro's BMC is among those vendors;

• IPMI passwords are stored unencrypted in BMCs. This is especially dangerous because multiple servers often share the same IPMI password. Both Dell and Supermicro BMCs are configured with unencrypted IPMI passwords.

Rapid7 found 308,000 IPMI-enabled BMCs exposed on the Net, 195,000 of which have no encryption because they run IPMI 1.5, which doesn't support it. Some 99,000 of the IPMI 2.0 servers expose password hashes, 53,000 are at risk of password bypass with Cipher 0, and 35,000 use a vulnerable UPnP service.

Meanwhile, most server hosting providers that support Supermicro BMCs are affected by these flaws. The danger here is that an attacker could install a permanent backdoor on the BMC that would provide it access to all of the hosting providers customers on that hardware platform, Moore says.

Rapid7, itself, had a brush with the BMC security holes earlier this year. The vulnerability management and penetration testing firm got a shipment of third-party appliances that included Supermicro motherboards that came with IPMI enabled. "The first round of Supermicro boards we received this year had IPMI enabled by default, and it took a couple long days and late nights to jumper them so we could use them as intended without introducing a risk," Moore recalls. "Our new boards specifically exclude the IPMI feature."

What To Do About It
Among the recommendations by the researchers: scan for and detect any exposed systems to make sure IPMI-enabled BMCs are not exposed to the Internet. For servers running internally, disable Cipher 0; set up strong and complex passwords; and for Supermicro BMCs, update the firmware.

Moore's full posting on the IPMI/BMC server security issues, including links to Farmer's research, is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/22/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.