Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/11/2013
04:59 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Data Center Servers Exposed

Popular server firmware contains multiple zero-day vulnerabilities, but fixes are fraught with trade-offs

You definitely don't want to show up on one of HD Moore's Internet scans. But some 35,000 -- and counting -- servers have been found exposed on the Internet by the renowned researcher and his team in their ongoing global scanning project aimed at detecting networked devices in danger of attack. In the latest twist, popular server firmware exposed on the Net also contains multiple zero-day bugs that leave corporate servers open to outside attackers.

Rapid7 late last week disclosed several previously unknown security bugs in Supermicro's Intelligent Platform Management Interface (IPMI) protocol implementation in its Baseboard Management Controller (BMC) firmware that, in effect, give attackers near-physical access to the affected servers. BMC firmware and its corresponding IPMI interface are basically remote management tools for the servers. The flaws were found in firmware version SMT_X9_226 of Supermicro's product, and Supermicro recently updated the firmware with version SMT_X9_315, which Rapid7 found only addresses some of the zero-days as well as some other flaws.

Among the flaws Rapid7 found were static encryption keys, hard-coded credentials, and buffer overflows. Moore, who is chief research officer for Rapid7 and creator of Metasploit, says his team has not been able to confirm that Supermicro's firmware update fixes the static encryption key and hard-coded credentials issue.

Supermicro had not yet responded to a press inquiry as of this posting.

Moore previously had revealed major holes in embedded devices, home routers, corporate videoconferencing systems, and other equipment on the public Internet that is open to abuse by bad guys. He and fellow researcher Dan Farmer in July announced they had discovered around 300,000 servers online at serious risk of hacker takeover via bugs in IPMI and BMC. An attacker could steal data from attached storage devices, tinker with operating system settings, install a backdoor, sniff credentials sent via the server, wipe the hard drives, or launch a denial-of-service attack on the servers, according to the researchers.

[A widely deployed protocol and controller used in servers and workstations both contain serious vulnerabilities that, in effect, give attackers near-physical access to the machines. Some 300,000 servers were discovered online at risk to this threat. See New Gaping Security Holes Found Exposing Servers. ]

The Supermicro bugs are the latest example of how data centers can also be unknowingly exposed on the public Net. And the rub: Even if Supermicro fixes all of the bugs, that doesn't mean its customers will apply the patches.

"The problem is that nobody updates them, so it doesn't matter if the vendor patches it or not. The most we can do is awareness," says Tod Beardsley, Metasploit engineering manager for Rapid7. Metasploit now offers scanning modules for its framework that organizations can use to determine whether their servers are at risk, he says.

"Exploiting [these bugs] is going to give you control over the BMC, which is then a short walk to the server itself," he says. "You can enable a KVM and have a remote mouse as if you are standing in the data center ... then you can steal all the data."

Robert Graham, CEO of Errata, which has been conducting Internet scan research of its own, says Moore's IPMI research is the most critical to enterprises because it shows how corporate servers and data centers are exposed.

Even though many of the flaws that are found in Moore's, Errata Security's, and others' scans go ignored by many users and vendors, it's still necessary because the bad guys are doing the very same scans, Graham contends. "IPMI is dangerous, and that has been known for a long time [by hackers]," he says.

Exposing the vulnerable devices ultimately pressures vendors to do something to improve security, he says. Graham says "making a stink" about these problems prevents vendors from holding their users hostage. "When they say [to researchers], 'Please don't disclose this vulnerability because it affects my users' ... it means, 'I'm holding my users hostage,'" Graham says.

So what can enterprises do to protect their servers from getting hacked via IPMI or BMC bugs?

Johannes Ullrich, head of SANS Storm Center, says protecting the IPMI interface is a tricky balance. "There is little one can do to protect an IPMI interface if the interface is needed to remotely administer the system, in particular, given the backdoor fixed passwords. The best you can do is limit access to the IPMI interface via a firewall, and maybe by changing default ports if this is an option," Ullrich said in a SANS ISC diary post. "Once exposed, an attacker will have the same access to the system as a user with physical system access. Remember that turning off a system may leave IPMI enabled unless you disconnect power or network connectivity."

Running the IPMI traffic over a separate management network or VLAN is also an option, Errata's Graham says.

"No matter how many updates you get, assume you've still got a problem. [IPMI] should always be managed [as if in a] hostile [environment]," he says.

Beardsley says security pros should talk with their IT and network staff who run their data centers. "Ask them nicely to make sure this stuff is not exposed on the WAN," he says.

Rapid7's full report on the Supermicro bugs is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9405
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9406
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9407
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9398
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
CVE-2015-5201
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...