Rapid7 late last week disclosed several previously unknown security bugs in Supermicro's Intelligent Platform Management Interface (IPMI) protocol implementation in its Baseboard Management Controller (BMC) firmware that, in effect, give attackers near-physical access to the affected servers. BMC firmware and its corresponding IPMI interface are basically remote management tools for the servers. The flaws were found in firmware version SMT_X9_226 of Supermicro's product, and Supermicro recently updated the firmware with version SMT_X9_315, which Rapid7 found only addresses some of the zero-days as well as some other flaws.
Among the flaws Rapid7 found were static encryption keys, hard-coded credentials, and buffer overflows. Moore, who is chief research officer for Rapid7 and creator of Metasploit, says his team has not been able to confirm that Supermicro's firmware update fixes the static encryption key and hard-coded credentials issue.
Supermicro had not yet responded to a press inquiry as of this posting.
Moore previously had revealed major holes in embedded devices, home routers, corporate videoconferencing systems, and other equipment on the public Internet that is open to abuse by bad guys. He and fellow researcher Dan Farmer in July announced they had discovered around 300,000 servers online at serious risk of hacker takeover via bugs in IPMI and BMC. An attacker could steal data from attached storage devices, tinker with operating system settings, install a backdoor, sniff credentials sent via the server, wipe the hard drives, or launch a denial-of-service attack on the servers, according to the researchers.
[A widely deployed protocol and controller used in servers and workstations both contain serious vulnerabilities that, in effect, give attackers near-physical access to the machines. Some 300,000 servers were discovered online at risk to this threat. See New Gaping Security Holes Found Exposing Servers. ]
The Supermicro bugs are the latest example of how data centers can also be unknowingly exposed on the public Net. And the rub: Even if Supermicro fixes all of the bugs, that doesn't mean its customers will apply the patches.
"The problem is that nobody updates them, so it doesn't matter if the vendor patches it or not. The most we can do is awareness," says Tod Beardsley, Metasploit engineering manager for Rapid7. Metasploit now offers scanning modules for its framework that organizations can use to determine whether their servers are at risk, he says.
"Exploiting [these bugs] is going to give you control over the BMC, which is then a short walk to the server itself," he says. "You can enable a KVM and have a remote mouse as if you are standing in the data center ... then you can steal all the data."
Robert Graham, CEO of Errata, which has been conducting Internet scan research of its own, says Moore's IPMI research is the most critical to enterprises because it shows how corporate servers and data centers are exposed.
Even though many of the flaws that are found in Moore's, Errata Security's, and others' scans go ignored by many users and vendors, it's still necessary because the bad guys are doing the very same scans, Graham contends. "IPMI is dangerous, and that has been known for a long time [by hackers]," he says.
Exposing the vulnerable devices ultimately pressures vendors to do something to improve security, he says. Graham says "making a stink" about these problems prevents vendors from holding their users hostage. "When they say [to researchers], 'Please don't disclose this vulnerability because it affects my users' ... it means, 'I'm holding my users hostage,'" Graham says.
So what can enterprises do to protect their servers from getting hacked via IPMI or BMC bugs?
Johannes Ullrich, head of SANS Storm Center, says protecting the IPMI interface is a tricky balance. "There is little one can do to protect an IPMI interface if the interface is needed to remotely administer the system, in particular, given the backdoor fixed passwords. The best you can do is limit access to the IPMI interface via a firewall, and maybe by changing default ports if this is an option," Ullrich said in a SANS ISC diary post. "Once exposed, an attacker will have the same access to the system as a user with physical system access. Remember that turning off a system may leave IPMI enabled unless you disconnect power or network connectivity."
Running the IPMI traffic over a separate management network or VLAN is also an option, Errata's Graham says.
"No matter how many updates you get, assume you've still got a problem. [IPMI] should always be managed [as if in a] hostile [environment]," he says.
Beardsley says security pros should talk with their IT and network staff who run their data centers. "Ask them nicely to make sure this stuff is not exposed on the WAN," he says.
Rapid7's full report on the Supermicro bugs is here.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.