New Supermicro IPMI/BMC Vulnerability
A new vulnerability has been released by the CARI.net team regarding Supermicroâ??s implementation of IPMI/BMC for management. The vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152. One of our team has tested this vulnerability, and it works like a champ, so letâ??s add another log to the fire and spread the good word. The CARI.net team has a great writeup on the vulnerability linked below:
http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
Much thanx to the Zach at CARI.net for the heads-up.
tony d0t carothers --gmail
×
![modal content]()
Diary Archives
Comments
Snort VRT
1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules)
1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules)
1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules)
1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules)
Emerging threats
2018585 - ET EXPLOIT Supermicro BMC Password Disclosure 1 (exploit.rules)
2018586 - ET EXPLOIT Supermicro BMC Password Disclosure 2 (exploit.rules)
2018587 - ET EXPLOIT Supermicro BMC Password Disclosure 3 (exploit.rules)
2018588 - ET EXPLOIT Supermicro BMC Password Disclosure 4 (exploit.rules)
Trend Micro
http://www.tripwire.com/state-of-security/top-security-stories/vert-alert-supermicro-ipmibmc-plaintext-password-disclosure/
Scanners
OpenVAS
https://wald.intevation.org/scm/viewvco.php/scripts/2014/gb_supermicro_bmc_06_14.nasl?root=openvas-nvts&view=markup
Nmap
http://seclists.org/nmap-dev/2014/q2/525
Anonymous
Jun 23rd 2014
1 decade ago
Anonymous
Jun 23rd 2014
1 decade ago
If you find ANY products by any other vendor that are susceptible to this issue, please let me know. It appears that Supermicro sold OEM versions of this to some other companies who's subsequent products are similarly affected. I have a dialogue with Supermicro open about this.
I'm also tracking any and all boards that either are not well known, do not have official patches or you have trouble patching. Thanks!
Zach W.
sirt@cari.net
Anonymous
Jun 24th 2014
1 decade ago
not vulnerable to the UPnP attack, but
vulnerable to the equally bad and more
widespread cipher-suite-0 attack
vulnerability.
One should first issue
ipmitool ... channel getciphers ipmi 1
ipmitool ... lan print 1
Where ... designates typical authentication
and target address parameters.
For a Supermicro X8DTU-F mainboard running
firmware version 1.17, one obtains first a
list of active cipher sets and second one
sees
.
.
.
Cipher Suite Priv Max : aaaaXXaaaXXaaXX
Where 'X's correspond to empty cipher sets and
'a's correspond to available ciphers. Then
run
ipmitool ... lan set 1 cipher_privs uuuaXXuuuXXuuXX
which restricts all Cipher-Suites except C3
to user-privilege-only activities.
Testing with
ipmitool ... -P bad_passwd -C0 user list
now returns
Set Session Privilege Level to ADMINISTRATOR failed
Disabling all accounts except those at
administrator access level prevents
unauthenticated access, but for shops where
user access level is employed this will still
prevent creation of new accounts. Setting
user-access account names to non-default and
non-obvious values will reduce risk further.
Would be preferable to employ 'X' to
completely disable cipher suites, but this
doesn't work for this particular BMC and
leaves suites open to administrator account
login.
Anyone applying this must be *VERY* careful
to place the 'a' in the correct position or
they may lock themselves out from
administrative access.
------
Another old BMC, the HP LO-100 is mitigated with
ipmitool ... lan set 2 cipher_privs uuuOXXXXXXXXXXX
With a LO-100, one should use the web
management interface and disable all but one
or two logins to reduce the attack surface.
Avoid permitting user-access-level accounts.
Yet another example is an old Tyan M3295
IPMI daughter card, also vulnerable to
cipher-suite-0 attack. In this case 'X' is
effective for disabling cipher sets and the
hole may be closed with
ipmitool ... lan set 1 cipher_privs XXXaXXXXXXXXXXX
Anonymous
Jun 25th 2014
1 decade ago
appears that Cipher-Suite-1 is referenced
by web administration with the X8DTU-F
BMC firmware. To avoid locking out web
management, use this instead of the
above:
ipmitool ... lan set 1 cipher_privs uauaXXuuuXXuuXX
Anonymous
Jun 25th 2014
1 decade ago