New Supermicro IPMI/BMC Vulnerability

Published: 2014-06-19
Last Updated: 2014-06-19 21:52:47 UTC
by Tony Carothers (Version: 1)
5 comment(s)

A new vulnerability has been released by the CARI.net team regarding Supermicroâ??s implementation of IPMI/BMC for management.  The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152.  One of our team has tested this vulnerability, and it works like a champ, so letâ??s add another log to the fire and spread the good word.  The CARI.net team has a great writeup on the vulnerability linked below:

http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/


Much thanx to the Zach at CARI.net for the heads-up.

tony d0t carothers --gmail

Keywords: BMC IPMI
5 comment(s)

Comments

Bunch of signatures came up recently. They might be related to this:

Snort VRT

1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules)
1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules)
1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules)
1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules)

Emerging threats

2018585 - ET EXPLOIT Supermicro BMC Password Disclosure 1 (exploit.rules)
2018586 - ET EXPLOIT Supermicro BMC Password Disclosure 2 (exploit.rules)
2018587 - ET EXPLOIT Supermicro BMC Password Disclosure 3 (exploit.rules)
2018588 - ET EXPLOIT Supermicro BMC Password Disclosure 4 (exploit.rules)

Trend Micro

http://www.tripwire.com/state-of-security/top-security-stories/vert-alert-supermicro-ipmibmc-plaintext-password-disclosure/

Scanners

OpenVAS

https://wald.intevation.org/scm/viewvco.php/scripts/2014/gb_supermicro_bmc_06_14.nasl?root=openvas-nvts&view=markup

Nmap

http://seclists.org/nmap-dev/2014/q2/525
SM has not posted a revised firmware to correct issue for the H8DG6-F mainboard. Is vulnerable.
Hey guys,

If you find ANY products by any other vendor that are susceptible to this issue, please let me know. It appears that Supermicro sold OEM versions of this to some other companies who's subsequent products are similarly affected. I have a dialogue with Supermicro open about this.

I'm also tracking any and all boards that either are not well known, do not have official patches or you have trouble patching. Thanks!

Zach W.
sirt@cari.net
Found a mitigation for older BMC firmwares
not vulnerable to the UPnP attack, but
vulnerable to the equally bad and more
widespread cipher-suite-0 attack
vulnerability.

One should first issue

ipmitool ... channel getciphers ipmi 1
ipmitool ... lan print 1

Where ... designates typical authentication
and target address parameters.

For a Supermicro X8DTU-F mainboard running
firmware version 1.17, one obtains first a
list of active cipher sets and second one
sees

.
.
.
Cipher Suite Priv Max : aaaaXXaaaXXaaXX

Where 'X's correspond to empty cipher sets and
'a's correspond to available ciphers. Then
run

ipmitool ... lan set 1 cipher_privs uuuaXXuuuXXuuXX

which restricts all Cipher-Suites except C3
to user-privilege-only activities.

Testing with

ipmitool ... -P bad_passwd -C0 user list

now returns

Set Session Privilege Level to ADMINISTRATOR failed

Disabling all accounts except those at
administrator access level prevents
unauthenticated access, but for shops where
user access level is employed this will still
prevent creation of new accounts. Setting
user-access account names to non-default and
non-obvious values will reduce risk further.

Would be preferable to employ 'X' to
completely disable cipher suites, but this
doesn't work for this particular BMC and
leaves suites open to administrator account
login.

Anyone applying this must be *VERY* careful
to place the 'a' in the correct position or
they may lock themselves out from
administrative access.

------

Another old BMC, the HP LO-100 is mitigated with

ipmitool ... lan set 2 cipher_privs uuuOXXXXXXXXXXX

With a LO-100, one should use the web
management interface and disable all but one
or two logins to reduce the attack surface.
Avoid permitting user-access-level accounts.

Yet another example is an old Tyan M3295
IPMI daughter card, also vulnerable to
cipher-suite-0 attack. In this case 'X' is
effective for disabling cipher sets and the
hole may be closed with

ipmitool ... lan set 1 cipher_privs XXXaXXXXXXXXXXX
correction:

appears that Cipher-Suite-1 is referenced
by web administration with the X8DTU-F
BMC firmware. To avoid locking out web
management, use this instead of the
above:

ipmitool ... lan set 1 cipher_privs uauaXXuuuXXuuXX

Diary Archives