HD Moore, chief research officer at Rapid7 and creator of Metasploit, and security researcher Dan Farmer announced findings of their research on major flaws in the Intelligent Platform Management Interface (IPMI) protocol and the Baseboard Management Controllers (BMC) packaged with most servers for remote management purposes.
As part of his ongoing Internet scanning research, Moore found more than 100,000 servers and workstations online that are vulnerable to one or more of six flaws in IPMI and BMC -- some of which were bugs Farmer revealed earlier this year -- which Moore says is just the tip of the iceberg of potential servers in danger on the Net. The bugs could allow an attacker to compromise BMCs in the affected servers and siphon data from attached storage devices, make changes to the operating system, install a permanent backdoor, sniff credentials sent through the server, launch a denial-of-service attack, or wipe the hard drives.
[Unplug Universal Plug And Play (UPnP) to protect routers, storage devices, media players from getting hacked over the Internet, Rapid7 says. See Millions Of Networked Devices In Harm's Way.]
Moore says these findings are big and more serious than other equipment he has found exposed on the Internet. "It's one thing to be hacking some crappy home router, but it's another thing" to see servers wide open to attack, he says.
And there isn't really a fix for the IPMI protocol problems. "By definition, the technology is pretty much broken. There's no such thing as an IPMI secure device," Moore says.
The vulnerabilities follow a common theme in other weaknesses Moore has discovered in Internet-facing equipment: default backdoor-type access by the vendors for internal ease of access and use, including default passwords, and customers either unaware or not understanding the looming dangers of the holes sitting exposed on the Internet.
"This definitely qualifies for the moniker 'gaping security hole,'" says Chris Wysopal, CTO at Veracode. "These management interfaces give, as Dan [Farmer] says, 'equivalent to physical access' and use a separate authentication scheme than IT admins typically use with centralized authentication, such as Windows Active Directory. Many admins don't know this management interface exists."
Those server ports should not be open to the outside, either, Wysopal says, so it appears to be a very prevalent mistake by server admins. "The big deal I see is that once an attacker is through the perimeter, they can have a field day internally with these vulnerabilities."
BMCs are found on most servers today, and are OEMed and sold by Dell, HP, IBM, and Supermicro, for instance; they are either integrated on the motherboard of the server or as an add-on that plugs into a connector or PCI slot. They are basically computers in their own right that offer remote management of servers, and provide things like virtual keyboards, video, mouse, power, and removable media control for the machines. And even when the server is powered down, the BMC is still powered on.
IPMI, the server management protocol that runs on the BMC, is supported by some 200 vendors and was found by Farmer to have various authentication and access flaws.
The researchers say attackers could hack into a server via a compromised BMC by rebooting the server from a virtual CD-ROM and using a rescue disk. "The former resets the local Windows Administrator account password and the latter does an in-memory patch that disables console authentication in both Linux and Windows. The BMC can then force the server to boot normally and provide console access to the attacker through built-in KVM functionality," they wrote in an FAQ on the vulnerabilities.
"The BMC provides the equivalent of physical access to the server with many of the security exposures that this implies, such as booting to single-user mode, accessing the BIOS settings, and being able to watch the physical display. If the hard drives of the server are not encrypted, an attacker could boot the server into a rescue environment, and manipulate or copy the file system without any assistance from the server's operating system," they wrote.
Farmer's initial work on the bugs initially didn't capture much public attention. "It kind of sat there for five months, and the security community ignored it," he says. "It wasn't until we got some Internet exposure to how bad it really was" that it got the attention it deserved, according to Moore.
There are a total six flaws with BMC security that the researchers found, most of which are rooted in the IPMI protocol:
• IPMI version 2.0's "cipher 0" encryption method that bypasses authentication altogether for IPMI commands. This feature is often on by default in BMCs;
• IPMI version 2.0 sends requesting clients a cryptographic hash of the user's password before authentication, which could allow an attacker to brute-force the hash to grab the password if it's not a strong one;
• IPMI version 2.0 supports logins by anonymous users -- with a username and password set to "null." This user account often comes with administrative privileges, and some BMC vendors ship this feature activated by default;
• All versions of IPMI are able to provide authentication methods remotely to a requester via the "get channel authentication" request;
• Some BMCs enable the Universal Plug and Play (UPnP) protocol by default and have no option for disabling it. Supermicro's BMC is among those vendors;
• IPMI passwords are stored unencrypted in BMCs. This is especially dangerous because multiple servers often share the same IPMI password. Both Dell and Supermicro BMCs are configured with unencrypted IPMI passwords.
Rapid7 found 308,000 IPMI-enabled BMCs exposed on the Net, 195,000 of which have no encryption because they run IPMI 1.5, which doesn't support it. Some 99,000 of the IPMI 2.0 servers expose password hashes, 53,000 are at risk of password bypass with Cipher 0, and 35,000 use a vulnerable UPnP service.
Meanwhile, most server hosting providers that support Supermicro BMCs are affected by these flaws. The danger here is that an attacker could install a permanent backdoor on the BMC that would provide it access to all of the hosting providers customers on that hardware platform, Moore says.
Rapid7, itself, had a brush with the BMC security holes earlier this year. The vulnerability management and penetration testing firm got a shipment of third-party appliances that included Supermicro motherboards that came with IPMI enabled. "The first round of Supermicro boards we received this year had IPMI enabled by default, and it took a couple long days and late nights to jumper them so we could use them as intended without introducing a risk," Moore recalls. "Our new boards specifically exclude the IPMI feature."
What To Do About It
Among the recommendations by the researchers: scan for and detect any exposed systems to make sure IPMI-enabled BMCs are not exposed to the Internet. For servers running internally, disable Cipher 0; set up strong and complex passwords; and for Supermicro BMCs, update the firmware.
Moore's full posting on the IPMI/BMC server security issues, including links to Farmer's research, is available here.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.