Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:51 PM
Connect Directly

New Gaping Security Holes Found Exposing Servers

Researcher HD Moore so far has discovered around 300,000 servers online at serious risk of hacker takeover

A widely deployed protocol and controller used in servers and workstations both contain serious vulnerabilities that, in effect, give attackers near-physical access to the machines, a pair of renowned researchers said today.

HD Moore, chief research officer at Rapid7 and creator of Metasploit, and security researcher Dan Farmer announced findings of their research on major flaws in the Intelligent Platform Management Interface (IPMI) protocol and the Baseboard Management Controllers (BMC) packaged with most servers for remote management purposes.

As part of his ongoing Internet scanning research, Moore found more than 100,000 servers and workstations online that are vulnerable to one or more of six flaws in IPMI and BMC -- some of which were bugs Farmer revealed earlier this year -- which Moore says is just the tip of the iceberg of potential servers in danger on the Net. The bugs could allow an attacker to compromise BMCs in the affected servers and siphon data from attached storage devices, make changes to the operating system, install a permanent backdoor, sniff credentials sent through the server, launch a denial-of-service attack, or wipe the hard drives.

[Unplug Universal Plug And Play (UPnP) to protect routers, storage devices, media players from getting hacked over the Internet, Rapid7 says. See Millions Of Networked Devices In Harm's Way.]

Moore says these findings are big and more serious than other equipment he has found exposed on the Internet. "It's one thing to be hacking some crappy home router, but it's another thing" to see servers wide open to attack, he says.

And there isn't really a fix for the IPMI protocol problems. "By definition, the technology is pretty much broken. There's no such thing as an IPMI secure device," Moore says.

The vulnerabilities follow a common theme in other weaknesses Moore has discovered in Internet-facing equipment: default backdoor-type access by the vendors for internal ease of access and use, including default passwords, and customers either unaware or not understanding the looming dangers of the holes sitting exposed on the Internet.

"This definitely qualifies for the moniker 'gaping security hole,'" says Chris Wysopal, CTO at Veracode. "These management interfaces give, as Dan [Farmer] says, 'equivalent to physical access' and use a separate authentication scheme than IT admins typically use with centralized authentication, such as Windows Active Directory. Many admins don't know this management interface exists."

Those server ports should not be open to the outside, either, Wysopal says, so it appears to be a very prevalent mistake by server admins. "The big deal I see is that once an attacker is through the perimeter, they can have a field day internally with these vulnerabilities."

BMCs are found on most servers today, and are OEMed and sold by Dell, HP, IBM, and Supermicro, for instance; they are either integrated on the motherboard of the server or as an add-on that plugs into a connector or PCI slot. They are basically computers in their own right that offer remote management of servers, and provide things like virtual keyboards, video, mouse, power, and removable media control for the machines. And even when the server is powered down, the BMC is still powered on.

IPMI, the server management protocol that runs on the BMC, is supported by some 200 vendors and was found by Farmer to have various authentication and access flaws.

The researchers say attackers could hack into a server via a compromised BMC by rebooting the server from a virtual CD-ROM and using a rescue disk. "The former resets the local Windows Administrator account password and the latter does an in-memory patch that disables console authentication in both Linux and Windows. The BMC can then force the server to boot normally and provide console access to the attacker through built-in KVM functionality," they wrote in an FAQ on the vulnerabilities.

"The BMC provides the equivalent of physical access to the server with many of the security exposures that this implies, such as booting to single-user mode, accessing the BIOS settings, and being able to watch the physical display. If the hard drives of the server are not encrypted, an attacker could boot the server into a rescue environment, and manipulate or copy the file system without any assistance from the server's operating system," they wrote.

Farmer's initial work on the bugs initially didn't capture much public attention. "It kind of sat there for five months, and the security community ignored it," he says. "It wasn't until we got some Internet exposure to how bad it really was" that it got the attention it deserved, according to Moore.

There are a total six flaws with BMC security that the researchers found, most of which are rooted in the IPMI protocol:

• IPMI version 2.0's "cipher 0" encryption method that bypasses authentication altogether for IPMI commands. This feature is often on by default in BMCs;

• IPMI version 2.0 sends requesting clients a cryptographic hash of the user's password before authentication, which could allow an attacker to brute-force the hash to grab the password if it's not a strong one;

• IPMI version 2.0 supports logins by anonymous users -- with a username and password set to "null." This user account often comes with administrative privileges, and some BMC vendors ship this feature activated by default;

• All versions of IPMI are able to provide authentication methods remotely to a requester via the "get channel authentication" request;

• Some BMCs enable the Universal Plug and Play (UPnP) protocol by default and have no option for disabling it. Supermicro's BMC is among those vendors;

• IPMI passwords are stored unencrypted in BMCs. This is especially dangerous because multiple servers often share the same IPMI password. Both Dell and Supermicro BMCs are configured with unencrypted IPMI passwords.

Rapid7 found 308,000 IPMI-enabled BMCs exposed on the Net, 195,000 of which have no encryption because they run IPMI 1.5, which doesn't support it. Some 99,000 of the IPMI 2.0 servers expose password hashes, 53,000 are at risk of password bypass with Cipher 0, and 35,000 use a vulnerable UPnP service.

Meanwhile, most server hosting providers that support Supermicro BMCs are affected by these flaws. The danger here is that an attacker could install a permanent backdoor on the BMC that would provide it access to all of the hosting providers customers on that hardware platform, Moore says.

Rapid7, itself, had a brush with the BMC security holes earlier this year. The vulnerability management and penetration testing firm got a shipment of third-party appliances that included Supermicro motherboards that came with IPMI enabled. "The first round of Supermicro boards we received this year had IPMI enabled by default, and it took a couple long days and late nights to jumper them so we could use them as intended without introducing a risk," Moore recalls. "Our new boards specifically exclude the IPMI feature."

What To Do About It
Among the recommendations by the researchers: scan for and detect any exposed systems to make sure IPMI-enabled BMCs are not exposed to the Internet. For servers running internally, disable Cipher 0; set up strong and complex passwords; and for Supermicro BMCs, update the firmware.

Moore's full posting on the IPMI/BMC server security issues, including links to Farmer's research, is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
'Box Shield' Brings New Security Controls
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
New FISMA Report Shows Progress, Gaps in Federal Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-23
cgi-bin/cmh/webcam.sh in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via --output argument injection in the username parameter to /cgi-bin/cmh/webcam.sh.
PUBLISHED: 2019-08-23
CodiMD 1.3.1, when Safari is used, allows XSS via an IFRAME element with allow-top-navigation in the sandbox attribute, in conjunction with a data: URL.
PUBLISHED: 2019-08-22
In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the ...
PUBLISHED: 2019-08-22
In GalliumOS 3.0, CONFIG_SECURITY_YAMA is disabled but /etc/sysctl.d/10-ptrace.conf tries to set /proc/sys/kernel/yama/ptrace_scope to 1, which might increase risk because of the appearance that a protection mechanism is present when actually it is not.
PUBLISHED: 2019-08-22
The import-users-from-csv-with-meta plugin before for WordPress has directory traversal.