Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/11/2013
04:59 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Data Center Servers Exposed

Popular server firmware contains multiple zero-day vulnerabilities, but fixes are fraught with trade-offs

You definitely don't want to show up on one of HD Moore's Internet scans. But some 35,000 -- and counting -- servers have been found exposed on the Internet by the renowned researcher and his team in their ongoing global scanning project aimed at detecting networked devices in danger of attack. In the latest twist, popular server firmware exposed on the Net also contains multiple zero-day bugs that leave corporate servers open to outside attackers.

Rapid7 late last week disclosed several previously unknown security bugs in Supermicro's Intelligent Platform Management Interface (IPMI) protocol implementation in its Baseboard Management Controller (BMC) firmware that, in effect, give attackers near-physical access to the affected servers. BMC firmware and its corresponding IPMI interface are basically remote management tools for the servers. The flaws were found in firmware version SMT_X9_226 of Supermicro's product, and Supermicro recently updated the firmware with version SMT_X9_315, which Rapid7 found only addresses some of the zero-days as well as some other flaws.

Among the flaws Rapid7 found were static encryption keys, hard-coded credentials, and buffer overflows. Moore, who is chief research officer for Rapid7 and creator of Metasploit, says his team has not been able to confirm that Supermicro's firmware update fixes the static encryption key and hard-coded credentials issue.

Supermicro had not yet responded to a press inquiry as of this posting.

Moore previously had revealed major holes in embedded devices, home routers, corporate videoconferencing systems, and other equipment on the public Internet that is open to abuse by bad guys. He and fellow researcher Dan Farmer in July announced they had discovered around 300,000 servers online at serious risk of hacker takeover via bugs in IPMI and BMC. An attacker could steal data from attached storage devices, tinker with operating system settings, install a backdoor, sniff credentials sent via the server, wipe the hard drives, or launch a denial-of-service attack on the servers, according to the researchers.

[A widely deployed protocol and controller used in servers and workstations both contain serious vulnerabilities that, in effect, give attackers near-physical access to the machines. Some 300,000 servers were discovered online at risk to this threat. See New Gaping Security Holes Found Exposing Servers. ]

The Supermicro bugs are the latest example of how data centers can also be unknowingly exposed on the public Net. And the rub: Even if Supermicro fixes all of the bugs, that doesn't mean its customers will apply the patches.

"The problem is that nobody updates them, so it doesn't matter if the vendor patches it or not. The most we can do is awareness," says Tod Beardsley, Metasploit engineering manager for Rapid7. Metasploit now offers scanning modules for its framework that organizations can use to determine whether their servers are at risk, he says.

"Exploiting [these bugs] is going to give you control over the BMC, which is then a short walk to the server itself," he says. "You can enable a KVM and have a remote mouse as if you are standing in the data center ... then you can steal all the data."

Robert Graham, CEO of Errata, which has been conducting Internet scan research of its own, says Moore's IPMI research is the most critical to enterprises because it shows how corporate servers and data centers are exposed.

Even though many of the flaws that are found in Moore's, Errata Security's, and others' scans go ignored by many users and vendors, it's still necessary because the bad guys are doing the very same scans, Graham contends. "IPMI is dangerous, and that has been known for a long time [by hackers]," he says.

Exposing the vulnerable devices ultimately pressures vendors to do something to improve security, he says. Graham says "making a stink" about these problems prevents vendors from holding their users hostage. "When they say [to researchers], 'Please don't disclose this vulnerability because it affects my users' ... it means, 'I'm holding my users hostage,'" Graham says.

So what can enterprises do to protect their servers from getting hacked via IPMI or BMC bugs?

Johannes Ullrich, head of SANS Storm Center, says protecting the IPMI interface is a tricky balance. "There is little one can do to protect an IPMI interface if the interface is needed to remotely administer the system, in particular, given the backdoor fixed passwords. The best you can do is limit access to the IPMI interface via a firewall, and maybe by changing default ports if this is an option," Ullrich said in a SANS ISC diary post. "Once exposed, an attacker will have the same access to the system as a user with physical system access. Remember that turning off a system may leave IPMI enabled unless you disconnect power or network connectivity."

Running the IPMI traffic over a separate management network or VLAN is also an option, Errata's Graham says.

"No matter how many updates you get, assume you've still got a problem. [IPMI] should always be managed [as if in a] hostile [environment]," he says.

Beardsley says security pros should talk with their IT and network staff who run their data centers. "Ask them nicely to make sure this stuff is not exposed on the WAN," he says.

Rapid7's full report on the Supermicro bugs is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.