IPMI Security Hole in Some Supermicro Boards

ewhac · Jun 20, 2014

Given how popular Supermicro's products are among the membership, I thought I'd pass this along, which was recently posted to Slashdot. Seems Supermicro's IPMI is storing passwords as plaintext, as well as running a UPnP server (Universal Penetrate and Pwn). As a consequence, you can retrieve the password store from a vulnerable system using nothing more than a Web browser.

Supermicro have released a firmware fix for the problem, but for machines that can't be taken down and reflashed, the article below details a workaround wherein you login to the IPMI interface and kill the UPnP daemons.

Naturally, none of you guys would ever expose your IPMI interfaces to the open Internet, but still...

http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/

Ericloewe · Jun 20, 2014

While not a nice bug (is there such a thing?), exposing the IPMI interface to the Internet (or even a non-management network in larger environments like datacenters) is a major case of mismanagement...

I would like to know whose brilliant idea this "feature" was, though. To quote Apu Nahasapeemapetilon, "What in the hell were you thinking?"

cyberjock · Jun 20, 2014

Wow.. I definitely need to schedule an IPMI upgrade for my box. ;)

dlavigne · Jun 21, 2014

iX has posted a how-to for the fix: http://www.ixsystems.com/whats-new/how-to-fix-the-ipmi-remote-management-vulnerability/.

9C1 Newbee · Jun 21, 2014

If it wasn't for this forum, I would have never known of the issue and might have gotten pwned at some point. Although this issue could be considered a dead horse, I think it could benefit from a few more real good ass woopins.

As a side note, I am finding that some features of the Asus router are also insecure as a fat girl on a first date with a handsome guy at a buffet. So if you might wanna read up if you have an Asus.

cyberjock · Jun 21, 2014

9C1 Newbee said:
As a side note, I am finding that some features of the Asus router are also insecure as a fat girl on a first date with a handsome guy at a buffet. So if you might wanna read up if you have an Asus.

Hate to break it to you, but if you bought your Router and didn't do something like pfsense, etc you're already pwned.

The only difference between any router out there and any other router in terms of security is how long its been on the market. Put a router out there and its only secure until it's been able to be examined. These companies are so deplorable at security they shouldn't be allowed to exist.

9C1 Newbee · Jun 22, 2014

cyberjock said:
Hate to break it to you, but if you bought your Router and didn't do something like pfsense, etc you're already pwned.

The only difference between any router out there and any other router in terms of security is how long its been on the market. Put a router out there and its only secure until it's been able to be examined. These companies are so deplorable at security they shouldn't be allowed to exist.

That sucks! :( Learn something new every day. But I am in the middle of a pfsense install video as I type this.

panz · Jun 26, 2014

@9C1 Newbee If you really need remote access to your IPMI interface just use the VPN feature of pfSense: by using a VPN you can access your internal LAN without exposing your NAS to Internet.

9C1 Newbee · Jun 27, 2014

Thank you panz. I currently use VPN on my ASUS router. But I could have had a sweet pfSense box for the price of the Asus.

Important Announcement for the TrueNAS Community.

IPMI Security Hole in Some Supermicro Boards

ewhac

Contributor

Ericloewe

Server Wrangler

cyberjock

Inactive Account

dlavigne

Guest

9C1 Newbee

Patron

cyberjock

Inactive Account

9C1 Newbee

Patron

panz

Guru

9C1 Newbee

Patron

Similar threads