Management Protocol Flaws Leave At Least 100k Servers Open For Hacking

More than 100,000 servers are likely vulnerable to compromise thanks to a slew of flaws in a protocol used by many of the world’s systems, according to a pair of researchers.

The problems lie in the Intelligent Platform Management Interface (IPMI) protocol, a standard managed by Intel that is used by servers’ Baseboard Management Controllers (BMCs).

BMCs are essentially mini computers installed on machines to let IT manage them remotely. They are produced by many well-known providers, including HP, Dell and IBM, and are often embedded ARM-based systems.

IPMI is the protocol used by BMCs and comes in two versions – 1.5 and 2.0 – both of which have dangerous vulnerabilities.

As soon as a hacker takes control of the BMC, they can easily compromise the entire server, according to researchers.

Problems with the protocol

Initial research uncovering the flaws was carried out by Dan Farmer, who put together a report for the US government earlier this year. Last month, Rapid7 chief HD Moore decided to do a scan to figure out how many were vulnerable.

One of the most serious flaws, affecting 99,000 servers, exposes password as IPMI 2.0 sends any requesting client a cryptographic hash of a requested user’s login details, meaning attackers could just brute force the password to compromise a BMC.

Given a python scipt and separate Metasploit module already exist to reproduce the attack, IT admins have been advised to use lengthy complex passwords. Even then, given the power of GPUs to do massive brute force attacks, they may not secure their servers.

Another flaw in IPMI 2.0 is that it uses the Cipher 0 encryption method, which negates the need for authentication for IPMI commands. This affects 53,000 BMCs. All the attacker needs is an admin username, “which is almost never an issue”, according to Moore.

A third vulnerability is that IPMI passwords have to be stored unencrypted on the BMC. “This has significant remaifications when combined with the other vulnerabilities that allow remote root access to the BMC, because organisations place servers into large (at times exceeding 100,000 or more computers) managed IPMI groups that all share the same password,” Rapid7 noted in its FAQ on the flaws.

Certain BMCs also enable the Universal Plug and Play (UPnP) protocol by default and don’t allow users to disable it. As previous HD Moore research has shown, UPnP itself is riddled with exploitable flaws.

Another 35,000 BMCs manufactured by Supermicro are vulnerable to a remote root compromise too, Rapid7 said, and an exploit module is available in Metasploit too. Supermicro had not responded to a request for comment at the time of publication.

The company said one of the most basic ways of breaking into a server, having compromised a BMC, would be to reboot the server with a virtual CD-ROM and use a rescue disk. Together, that will reset the local Windows admin account password and disable console authentication in both Linux and Windows. It’s then simple to force the server to boot normally and hand over access to the attacker.

This would provide the “equivalent of physical access to the server”. “If the hard drives of the server are not encrypted, an attacker could boot the server into a rescue environment, and manipulate or copy the file system without any assistance from the server’s operating system,” Rapid7 said.

Time to care about BMC security

Another major issue is that not many care about IPMI. As Farmer noted in his research published in January: “IT’s reliance on IPMI to reduce costs, the near-complete lack of research, 3rd party products, or vendor documentation on IPMI and the BMC security, and the permanent nature of the BMC on the motherboard make it currently very difficult to defend, fix or remediate against these issues.”

Moore added: “In addition to vulnerabilities in the IPMI protocol itself, most BMCs seem to suffer from issues common across all embedded devices, namely default passwords, outdated open source software, and, in some cases, backdoor accounts and static encryption keys.

“The world of BMCs is a mess that is not likely to get better anytime soon.”

UPDATE: Supermicro said it has now issued patches to cover off the flaws. Learn about the updates here: http://www.supermicro.com/support/faqs/faq.cfm?faq=16536

Think you know security? Test yourself with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago